Volerion logoVolerion
Volerion logoVolerion

Booking Manager WordPress Plugin Improper Authorization Vulnerability Allowing Booking Deletion

Vulnerability

A vulnerability exists in the Booking Manager WordPress plugin in versions prior to 2.1.15. The plugin improperly authorizes a shortcode that deletes bookings, making it accessible to users with contributor privileges and above. When a page containing this shortcode is accessed, the associated bookings are deleted.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of bookings by users with contributor privileges.

Reproduction

To reproduce this vulnerability, install the Booking Manager WordPress plugin version prior to 2.1.15. Add a new booking by importing a malicious .ics file that includes a crafted event. Once the booking is imported and approved, a contributor can add the deletion shortcode to a post or page. When that post or page is accessed by an unauthenticated visitor, the booking will be deleted.

Remediation

Users are advised to update the Booking Manager WordPress plugin to version 2.1.15 or later.

Added: Oct 10, 2025, 6:17 AM
Updated: Oct 10, 2025, 6:17 AM

Vulnerability Rating

Custom Algorithm
spread
2.2
impact
0.6
exploitability
6.5
remediation
7.7
relevance
0.7
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.