The vulnerability is a missing authorization flaw in the Booking Calendar and Notification plugin that allows attackers to bypass normal access controls. Because the plugin fails to enforce proper authentication checks, an unauthenticated or improperly authenticated user can gain privileged access to booking data and potentially execute administrative functions. The weakness corresponds to CWE‑862, which indicates a failure to properly verify possession of the necessary rights. This can lead to confidentiality and integrity breaches if an attacker can read or modify booking information, and may also enable wider system compromise if the plugin API is exposed.

The affected product is the Booking Calendar and Notification plugin from shiptrack. Versions from the earliest available up to and including 4.0.3 are impacted. Users running any of these releases on WordPress sites are at risk.

The CVSS score of 6.5 places the issue in the medium severity range. The EPSS score is less than 1%, suggesting a low exploitation probability. The vulnerability is not listed in CISA's KEV catalog. Attackers would likely need to navigate the plugin’s administrative interface or exploit exposed API endpoints, implying an external or authenticated (if privileged user compromised) vector. The lack of enforcement of authorization checks makes exploitation straightforward once the attacker gains a form of access, and the scope could extend across the entire WordPress installation if the plugin handles sensitive data.