Primary

Context

Booking X WordPress Plugin Data Exposure Vulnerability

Vulnerability

A vulnerability in the Booking X plugin for WordPress, affecting versions 1.0 to 1.1.2, allows unauthenticated users to access sensitive data. This issue arises from a lack of proper capability checks in the 'export_now()' function, which enables unauthorized individuals to download plugin data, including user accounts, user metadata, and PayPal credentials, by sending a crafted POST request.

Impact

Exploitation of this vulnerability leads to unauthorized access and download of sensitive information, including user accounts, user meta, and PayPal credentials.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress site with the 'export_xml' parameter set to 'Export xml'. This request can be made using tools like cURL or Postman, or through a custom script that targets the vulnerable WordPress site.

Added: Jul 4, 2025, 3:19 AM

Updated: Jul 4, 2025, 3:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

0.2

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

0.0

relevance

0.2

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Booking X WordPress Plugin Data Exposure Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating