An authorization flaw in Bookingor means anyone who can reach the plugin’s endpoints may bypass intended access controls and perform booking‑related actions. The weakness is a classic missing authorization error, classified as CWE‑862. The vulnerability can allow an attacker to view, modify or delete booking data, compromising data integrity and potentially exposing sensitive information. The CVSS score of 4.3 indicates a moderate severity, suggesting that while the flaw is not exploitably severe on its own, it still warrants attention.

All installations of the Bookingor WordPress plugin from the earliest releases up to and including version 2.0.1 are affected. Any site that has not upgraded beyond 2.0.1 should be considered vulnerable unless the plugin’s access controls have been manually hardened.

The EPSS score is less than 1 %, indicating a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. That does not preclude exploitation; the least‑privileged authenticated user could target the plugin’s functions, or an attacker who can craft requests to the plugin’s URLs might bypass restricted access. The precise attack vector is not detailed in the description, but the flaw results from incorrectly configured access levels, so it is best inferred that HTTP requests to protected endpoints would be the exploitation path.