Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable via HTTP with no complexity; PR:L reflects mandatory subscriber authentication; C:H for data disclosure only, no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
AnalysisAI
Broken access control in the Bookify WordPress plugin (versions ≤ 1.1.1) allows authenticated subscriber-level users to access resources or functionality reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to retrieve sensitive data they should be denied. No public exploit or CISA KEV listing has been identified at time of analysis, though Patchstack has documented the vulnerability with a CVSS 6.5 score reflecting high confidentiality impact.
Technical ContextAI
Bookify is a WordPress booking plugin developed under the myCRED vendor namespace (CPE: cpe:2.3:a:mycred:bookify). The root cause is CWE-862 (Missing Authorization), a class of flaw where server-side code fails to verify whether the authenticated user has the required capability or role before granting access to a protected action or data endpoint. In WordPress, this commonly manifests as REST API routes, AJAX handlers, or admin-facing endpoints that authenticate the request (confirming a valid logged-in user) but omit a subsequent capability check (e.g., current_user_can()), allowing any subscriber to invoke privileged operations. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms network-reachable exploitation requiring only a low-privilege WordPress account, with exclusively confidential data exposure and no integrity or availability impact.
RemediationAI
The primary remediation is to update the Bookify plugin beyond version 1.1.1. Patch availability per vendor-supplied data is referenced by Patchstack at https://patchstack.com/database/wordpress/plugin/bookify/vulnerability/wordpress-bookify-plugin-1-1-1-broken-access-control-vulnerability - however, an exact fixed release version is not independently confirmed in the available intelligence; verify the latest plugin version from the WordPress plugin repository or the myCRED vendor before updating. If an update is not immediately available or deployable, a concrete compensating control is to disable open user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to prevent unauthenticated parties from obtaining the subscriber role needed for exploitation; note this will block legitimate self-registration flows. Additionally, a Web Application Firewall (WAF) rule blocking unauthorized access to the specific vulnerable AJAX action or REST endpoint identified in the Patchstack report can reduce exposure without disabling registration.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210163
GHSA-xx38-25wr-hmh9