{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14982", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-19T16:56:52.018Z", "datePublished": "2026-01-16T04:44:33.474Z", "dateUpdated": "2026-04-08T16:37:05.571Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:05.571Z"}, "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.14.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users."}], "title": "Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-12-19T17:12:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-15T16:11:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T14:03:10.240893Z", "id": "CVE-2025-14982", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:03:32.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T14:03:10.240893Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:03:15.307Z"}}], "cna": {"title": "Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "10.14.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T17:12:42.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-15T16:11:56.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661"}, {"url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-16T04:44:33.474Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14982", "state": "PUBLISHED", "dateUpdated": "2026-01-16T14:03:32.703Z", "dateReserved": "2025-12-19T16:56:52.018Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-16T04:44:33.474Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users."}, {"lang": "es", "value": "El plugin Booking Calendar para WordPress es vulnerable a una falta de autorizaci\u00f3n, lo que lleva a la exposici\u00f3n de informaci\u00f3n sensible en todas las versiones hasta la 10.14.11, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, ver todos los registros de reservas en la base de datos, incluyendo informaci\u00f3n de identificaci\u00f3n personal (PII) como nombres, direcciones de correo electr\u00f3nico, n\u00fameros de tel\u00e9fono, direcciones f\u00edsicas, estado de pago, costos de reserva y hashes de reserva pertenecientes a otros usuarios."}], "id": "CVE-2025-14982", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-16T05:16:12.483", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:39:42.119260+00:00", "value": {"mitigation_remediation": ["Update the Booking Calendar plugin to version 10.14.12 or later, which implements an authorization check for booking data.", "If an immediate update is not possible, restrict access to the booking list page and related endpoints so that only Administrator users (or a custom role with explicit permission) can view bookings, preventing Subscriber-level users from requesting booking listings.", "Audit any custom code that accesses booking data and add the same role checks before displaying sensitive information."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all released versions of Booking Calendar up to and including version 10.14.11. The plugin, published by wpdevelop, is used in any WordPress installation that has installed this plugin. No specific sub\u2011version or patch is listed; the issue exists in all revisions prior to 10.14.12.", "description_and_impact": "The Booking Calendar plugin for WordPress suffers from a missing authorization check that allows authenticated users with Subscriber-level role or higher to view all booking records stored in the database. The exposed data includes personally identifiable information such as names, e\u2011mails, phone numbers, physical addresses, payment status, booking costs and booking hashes. Because the flaw can be triggered through normal plugin functionality, an attacker who can log in can harvest sensitive data across all bookings on the site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk, and the EPSS score of less than 1% shows a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is primarily through normal logged\u2011in use; any authenticated user with Subscriber role or higher can trigger the flaw. Therefore, sites with many subscriber accounts face a significant risk of data exposure if the plugin is not updated."}}}}, "created": "2026-01-16T13:41:58.886982+00:00", "updated": "2026-04-22T15:45:20.872637+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevelop", "wpdevelop$PRODUCT$booking_calendar"]}