Description
The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
Published: 2025-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Booking Details
Action: Update Now
AI Analysis

Impact

The eaSYNC Booking plugin for WordPress is affected by an insecure direct object reference that permits unauthenticated attackers to view the details of any booking request. The flaw arises from the 'view_request_details' endpoint lacking proper validation on a user‑supplied key, allowing sensitive data such as guest contact information, booking dates, and special requests to be exposed and compromising confidentiality.

Affected Systems

All releases of the syntactics:eaSYNC Booking – Hotels, Restaurants & Car Rentals plugin for WordPress that are version 1.3.21 or earlier are affected. Versions 1.3.18 and 1.3.21 contain partial mitigations, but the core issue remains exploitable. Administrators using any of these versions should upgrade as soon as a fully patched release becomes available.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1 % suggests that the exploitation probability is low at present. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known active exploitation. Based on the description, it is inferred that attackers can trigger the flaw without authentication by crafting URLs that reference the 'view_request_details' endpoint with valid request identifiers; thus the attack vector is a direct web request. Because sensitive booking information can be obtained, the primary risk lies in potential data exposure to unsuspecting users.

Generated by OpenCVE AI on April 22, 2026 at 04:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest stable release that fully resolves the direct object reference issue.
  • Restrict access to the 'view_request_details' endpoint by configuring plugin settings or server rules so that only authenticated administrators can invoke it, thereby mitigating accidental or malicious exposure.
  • Conduct a security review of all other plugins and custom code for similar Insecure Direct Object Reference patterns, and run regular vulnerability scans to detect any future exposures.

Generated by OpenCVE AI on April 22, 2026 at 04:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16555 The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Syntacticsinc
Syntacticsinc easync
CPEs cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:* cpe:2.3:a:syntacticsinc:easync:*:*:*:*:*:wordpress:*:*
Vendors & Products Syntactics
Syntactics free Booking Plugin For Hotels\, Restaurant And Car Rental
Syntacticsinc
Syntacticsinc easync

Thu, 10 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Syntactics
Syntactics free Booking Plugin For Hotels\, Restaurant And Car Rental
CPEs cpe:2.3:a:syntactics:free_booking_plugin_for_hotels\,_restaurant_and_car_rental:*:*:*:*:*:wordpress:*:*
Vendors & Products Syntactics
Syntactics free Booking Plugin For Hotels\, Restaurant And Car Rental

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
Title Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking <= 1.3.21 - Insecure Direct Object Reference to Sensitive Information Exposure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Syntacticsinc Easync
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:29.012Z

Reserved: 2025-05-14T15:45:37.633Z

Link: CVE-2025-4691

cve-icon Vulnrichment

Updated: 2025-06-02T15:17:00.510Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-31T12:15:20.133

Modified: 2026-01-23T19:32:27.247

Link: CVE-2025-4691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses