The vulnerability is a Missing Authorization flaw in the Xola plugin that allows an attacker to exploit incorrectly configured access control security levels. If exploited, an adversary could gain unauthorized access to protected plugin functions, potentially manipulating booking data, viewing sensitive information, or executing actions meant for privileged users. The weakness, categorized as CWE-862, directly undermines the confidentiality, integrity, and availability of the data handled by the plugin.

Affected systems are WordPress installations that have the Xola xola-bookings-for-tours-activities plugin installed, specifically versions 1.6 and earlier. The plugin is distributed by xola under the product name Xola for tours and activities booking.

The CVSS score of 4.3 indicates low severity. The EPSS score of less than 1 % suggests a very low probability of exploitation at this time, and it is not currently listed in the CISA KEV catalog. Attackers would likely need to exploit the WordPress site as a normal user or craft crafted requests to the plugin's endpoints. Once access is granted, they can perform operations that should be restricted to administrators. The overall risk is low but non‑zero, and timely remediation is recommended to prevent future exploitation or changes in threat posture.