WordPress · Easync Booking · CVE-2025-4691
**Name of the Vulnerable Software and Affected Versions**
eaSYNC Booking plugin for WordPress versions prior to 1.3.22
**Description**
The issue allows unauthenticated attackers to view the details of any booking request due to missing validation on a user-controlled key, specifically via the 'view request details' endpoint. This is possible because of an Insecure Direct Object Reference vulnerability.
**Recommendations**
For versions prior to 1.3.22, update to version 1.3.22 or later to resolve the issue.
As a temporary workaround, consider restricting access to the 'view request details' endpoint until a patch is available.