CVE-2025-6814

Name of the Vulnerable Software and Affected Versions: Booking X plugin for WordPress versions 1.0 through 1.1.2

Description: The issue allows unauthorized access to data due to a missing capability check on the export now() function. This enables unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request to a vulnerable API endpoint.

Recommendations: For versions 1.0 through 1.1.2, as a temporary workaround, consider disabling the export now() function until a patch is available. Restrict access to the plugin's data export functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.