The vulnerability is an insecure direct object reference that permits an attacker to supply a manipulated user‑controlled key, thereby bypassing the intended access control checks when accessing booking records in the Eagle Booking plugin. This flaw, identified as Authorization Bypass Through User‑Controlled Key (CWE-639), can expose or alter reservation information, compromising the confidentiality and integrity of booking data within the affected WordPress site.

WordPress installations that utilize the Eagle-Themes Eagle Booking plugin version 1.3.4.3 or earlier are susceptible; administrators of any site running the legacy plugin should verify the current version and its installed state.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the present environment. The vulnerability is not listed in the CISA KEV catalog. Based on the plugin’s design, the attack vector is most likely a remote web request where an attacker supplies a crafted key to access or modify booking entries, and no special environmental prerequisites are noted in the description.