Overview
The Booking X plugin for WordPress, versions 1.0 to 1.1.2, is susceptible to a severe data leakage vulnerability. The vulnerability, identified as CVE-2025-6814, allows unauthenticated attackers to gain access to, and download, sensitive user data and PayPal credentials. Any organization utilizing the vulnerable versions of this plugin is at risk, making this issue a significant concern within the cybersecurity landscape.
Vulnerability Summary
CVE ID: CVE-2025-6814
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Unauthorized access and potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Booking X Plugin for WordPress | 1.0 to 1.1.2
How the Exploit Works
The vulnerability exists due to a missing capability check in the export_now() function of the Booking X plugin. This flaw allows unauthenticated attackers to issue a crafted POST request, bypassing normal authentication processes. As a result, attackers can download all plugin data, including user accounts, user meta, and PayPal credentials.
Conceptual Example Code
The below pseudocode represents how an attacker might exploit this vulnerability:
POST /wp-content/plugins/booking-x/includes/export.php HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "action": "export_now", "nonce": "..." }In this example, the attacker crafts a POST request to the vulnerable endpoint in the plugin, triggering the export_now() function. The attacker can then download the resulting data file, gaining unauthorized access to sensitive data.
