Overview
The Booking X plugin for WordPress, versions 1.0 to 1.1.2, is susceptible to a severe data leakage vulnerability. The vulnerability, identified as CVE-2025-6814, allows unauthenticated attackers to gain access to, and download, sensitive user data and PayPal credentials. Any organization utilizing the vulnerable versions of this plugin is at risk, making this issue a significant concern within the cybersecurity landscape.
Vulnerability Summary
CVE ID: CVE-2025-6814
Severity: High (7.5 CVSS Score)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Unauthorized access and potential system compromise or data leakage
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
Booking X Plugin for WordPress | 1.0 to 1.1.2
How the Exploit Works
The vulnerability exists due to a missing capability check in the export_now() function of the Booking X plugin. This flaw allows unauthenticated attackers to issue a crafted POST request, bypassing normal authentication processes. As a result, attackers can download all plugin data, including user accounts, user meta, and PayPal credentials.
Conceptual Example Code
The below pseudocode represents how an attacker might exploit this vulnerability:
POST /wp-content/plugins/booking-x/includes/export.php HTTP/1.1
Host: target.example.com
Content-Type: application/json
{ "action": "export_now", "nonce": "..." }In this example, the attacker crafts a POST request to the vulnerable endpoint in the plugin, triggering the export_now() function. The attacker can then download the resulting data file, gaining unauthorized access to sensitive data.