Description
The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

The Simple Bike Rental WordPress plugin suffers from a missing capability check on the 'simpbire_carica_prenotazioni' AJAX endpoint. Because the check is absent, any user with Subscriber or higher privileges can invoke the action and obtain the entire set of booking records. The data includes customers’ names, email addresses, and phone numbers, meaning the vulnerability allows the disclosure of personally identifiable information. The weakness corresponds to CWE‑862, representing insufficient authorization, and it does not alter the integrity or availability of the system, only its confidentiality.

Affected Systems

The flaw affects the Simple Bike Rental plugin developed by rodolforizzo76, for all released versions up to and including 1.0.6. Users running any of these versions in a WordPress installation are susceptible, regardless of the website’s configuration or other plugins.

Risk and Exploitability

The CVSS base score is 4.3, indicating a medium confidentiality impact but no authentication or authorization prerequisites beyond normal subscription levels. The EPSS score of less than 1% suggests the vulnerability is rarely exploited in the wild. It is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with at least Subscriber permissions who can call the exposed AJAX action, implying the threat is limited to individuals who have logged into the WordPress site or obtained credentials for a user of that level.

Generated by OpenCVE AI on April 22, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Bike Rental plugin to the latest available version that includes the authorization check for the AJAX endpoint.
  • Verify that the user roles on the WordPress site are correctly configured and limit Subscriber-level accounts to only necessary functionality; avoid granting excessive administrative privileges.
  • Audit the plugin’s AJAX endpoints or other sensitive routes for missing capability checks using a vulnerability scanning tool or reviewing the source code, especially if other custom plugins are in use.

Generated by OpenCVE AI on April 22, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers.
Title Simple Bike Rental <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Booking Data Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:52.228Z

Reserved: 2025-12-04T20:59:47.264Z

Link: CVE-2025-14065

cve-icon Vulnrichment

Updated: 2025-12-12T14:44:18.365Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T12:15:46.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:15:21Z

Weaknesses