Description
The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data.
Published: 2025-11-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Disclosure
Action: Apply Patch
AI Analysis

Impact

The Course Booking System plugin for WordPress contains an authorization flaw that allows any visitor to download booking data without “edit_posts” or other capability checks. By requesting the csv-export.php endpoint, an unauthenticated user can receive a full CSV export of all stored bookings, exposing user information, dates, and contact details. The weakness is a missing capability check, identified as CWE‑862 and providing a direct path to sensitive data exposure.

Affected Systems

WordPress sites that use the Course Booking System plugin, version 6.1.5 or earlier. The issue exists in all releases up to and including 6.1.5.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate confidentiality impact with no authentication required. The EPSS score below 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw simply by accessing the CSV export URL from any network that can reach the affected site, meaning the attack vector is network-based and does not require privileged credentials. Once the request is made, the exported data is returned without further checks.

Generated by OpenCVE AI on April 22, 2026 at 12:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Course Booking System plugin to version 6.1.6 or later.
  • Restrict web access to csv-export.php using server‑side access controls such as .htaccess or a firewall rule to allow only authenticated users.
  • Disable or remove the CSV export feature if the plugin provides a settings toggle, ensuring that booking data cannot be downloaded without authorization.

Generated by OpenCVE AI on April 22, 2026 at 12:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data.
Title Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:35.343Z

Reserved: 2025-10-21T18:53:56.509Z

Link: CVE-2025-12042

cve-icon Vulnrichment

Updated: 2025-11-10T17:20:16.999Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:43.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses