The vulnerability is a missing authorization flaw that allows an attacker to perform actions on the booking calendar without proper permissions. An unauthenticated or low‑privilege user could create, modify, or delete bookings, or otherwise tamper with calendar data, thereby compromising the privacy and integrity of the booking system.

WordPress sites that have installed Roland Murg’s WP Simple Booking Calendar plugin version 2.0.13 or earlier are affected. Any site using those older releases is at risk until an updated version is deployed.

With a CVSS score of 6.5, the vulnerability presents a moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the issue is not yet listed in CISA’s KEV catalog. Based on the description, it is inferred that if an attacker can direct crafted requests to the plugin’s interfaces—either via the WordPress admin area or through exposed AJAX/REST endpoints—he or she could exploit the missing authorization check. Successful exploitation would grant unauthorized access to booking data and actions, enabling privilege escalation within the WordPress installation.