{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14065", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T20:59:47.264Z", "datePublished": "2025-12-12T11:15:48.880Z", "dateUpdated": "2026-04-08T16:33:52.228Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:52.228Z"}, "affected": [{"vendor": "rodolforizzo76", "product": "Simple Bike Rental", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers."}], "title": "Simple Bike Rental <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06f4e758-3328-4ac1-956a-cfadddd12e53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-bike-rental/trunk/includes/ajax.php#L137"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-bike-rental/tags/1.0.5/includes/ajax.php#L137"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414692/simple-bike-rental/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-08T17:28:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-11T21:44:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T15:31:49.426900Z", "id": "CVE-2025-14065", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T15:31:53.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14065", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T15:31:49.426900Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T14:44:18.365Z"}}], "cna": {"title": "Simple Bike Rental <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "rodolforizzo76", "product": "Simple Bike Rental", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-08T17:28:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-11T21:44:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06f4e758-3328-4ac1-956a-cfadddd12e53?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-bike-rental/trunk/includes/ajax.php#L137"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-bike-rental/tags/1.0.5/includes/ajax.php#L137"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414692/simple-bike-rental/"}], "descriptions": [{"lang": "en", "value": "The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:52.228Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14065", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:52.228Z", "dateReserved": "2025-12-04T20:59:47.264Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T11:15:48.880Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers."}], "id": "CVE-2025-14065", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-12T12:15:46.057", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-bike-rental/tags/1.0.5/includes/ajax.php#L137"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-bike-rental/trunk/includes/ajax.php#L137"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3414692/simple-bike-rental/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/06f4e758-3328-4ac1-956a-cfadddd12e53?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:12:05.253296+00:00", "value": {"mitigation_remediation": ["Update the Simple Bike Rental plugin to the latest available version that includes the authorization check for the AJAX endpoint.", "Verify that the user roles on the WordPress site are correctly configured and limit Subscriber-level accounts to only necessary functionality; avoid granting excessive administrative privileges.", "Audit the plugin\u2019s AJAX endpoints or other sensitive routes for missing capability checks using a vulnerability scanning tool or reviewing the source code, especially if other custom plugins are in use."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects the Simple Bike Rental plugin developed by rodolforizzo76, for all released versions up to and including 1.0.6. Users running any of these versions in a WordPress installation are susceptible, regardless of the website\u2019s configuration or other plugins.", "description_and_impact": "The Simple Bike Rental WordPress plugin suffers from a missing capability check on the 'simpbire_carica_prenotazioni' AJAX endpoint. Because the check is absent, any user with Subscriber or higher privileges can invoke the action and obtain the entire set of booking records. The data includes customers\u2019 names, email addresses, and phone numbers, meaning the vulnerability allows the disclosure of personally identifiable information. The weakness corresponds to CWE\u2011862, representing insufficient authorization, and it does not alter the integrity or availability of the system, only its confidentiality.", "risk_and_exploitability": "The CVSS base score is 4.3, indicating a medium confidentiality impact but no authentication or authorization prerequisites beyond normal subscription levels. The EPSS score of less than 1% suggests the vulnerability is rarely exploited in the wild. It is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with at least Subscriber permissions who can call the exposed AJAX action, implying the threat is limited to individuals who have logged into the WordPress site or obtained credentials for a user of that level."}}}}, "created": "2025-12-14T21:16:26.300936+00:00", "updated": "2026-04-22T16:15:21.792195+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}