Skip to main content

Bookify CVE-2025-69332

| EUVDEUVD-2025-210163 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-xx38-25wr-hmh9
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable via HTTP with no complexity; PR:L reflects mandatory subscriber authentication; C:H for data disclosure only, no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:18 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in Bookify <= 1.1.1 versions.

AnalysisAI

Broken access control in the Bookify WordPress plugin (versions ≤ 1.1.1) allows authenticated subscriber-level users to access resources or functionality reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to retrieve sensitive data they should be denied. No public exploit or CISA KEV listing has been identified at time of analysis, though Patchstack has documented the vulnerability with a CVSS 6.5 score reflecting high confidentiality impact.

Technical ContextAI

Bookify is a WordPress booking plugin developed under the myCRED vendor namespace (CPE: cpe:2.3:a:mycred:bookify). The root cause is CWE-862 (Missing Authorization), a class of flaw where server-side code fails to verify whether the authenticated user has the required capability or role before granting access to a protected action or data endpoint. In WordPress, this commonly manifests as REST API routes, AJAX handlers, or admin-facing endpoints that authenticate the request (confirming a valid logged-in user) but omit a subsequent capability check (e.g., current_user_can()), allowing any subscriber to invoke privileged operations. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms network-reachable exploitation requiring only a low-privilege WordPress account, with exclusively confidential data exposure and no integrity or availability impact.

RemediationAI

The primary remediation is to update the Bookify plugin beyond version 1.1.1. Patch availability per vendor-supplied data is referenced by Patchstack at https://patchstack.com/database/wordpress/plugin/bookify/vulnerability/wordpress-bookify-plugin-1-1-1-broken-access-control-vulnerability - however, an exact fixed release version is not independently confirmed in the available intelligence; verify the latest plugin version from the WordPress plugin repository or the myCRED vendor before updating. If an update is not immediately available or deployable, a concrete compensating control is to disable open user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to prevent unauthenticated parties from obtaining the subscriber role needed for exploitation; note this will block legitimate self-registration flows. Additionally, a Web Application Firewall (WAF) rule blocking unauthorized access to the specific vulnerable AJAX action or REST endpoint identified in the Patchstack report can reduce exposure without disabling registration.

Share

CVE-2025-69332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy