Unauthorized Data Access in Booking X Plugin for WordPress
CVE-2025-6814

7.5HIGH

Key Information:

Vendor: WordPress
Status: Booking X
Vendor: CVE Published:; 4 July 2025

What is CVE-2025-6814?

The Booking X plugin for WordPress has a critical flaw that allows unauthorized users to access sensitive data. This issue arises from the lack of a capability check in the export_now() function. Versions 1.0 through 1.1.2 are affected, enabling unauthenticated attackers to craft POST requests and download confidential information, including user accounts and PayPal credentials. It is essential for users and administrators to update the plugin to mitigate this risk and strengthen their site's security.

References

https://plugins.trac.wordpress.org/browser/booking-x/tags...

https://wordpress.org/plugins/booking-x/#developers

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 4, 2025