The flaw is a missing authorization check in the WeDesignTech Ultimate Booking Addon that allows attackers to exploit incorrectly configured access control settings. An attacker who can influence the plugin’s configuration may alter booking data, change settings, or gain access to privileged booking management features. This can compromise the integrity of booking information and potentially expose sensitive customer data, depending on how the plugin stores and processes booking details.

The vulnerability affects the BuddhaThemes WeDesignTech Ultimate Booking Addon WordPress plugin in all versions from the earliest release up to and including 1.0.3. Any WordPress site that has this plugin installed and is running a version ≤1.0.3 is susceptible.

The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of less than 1% suggests exploitation is currently rare. The plugin is not listed in the CISA KEV catalog, reflecting a lower known exploitation status. Although the description does not specify an explicit attack vector, a missing authorization flaw typically allows exploitation through authenticated user sessions or, in some cases, unauthenticated requests to plugin endpoints that lack proper permission checks. The risk is primarily to the confidentiality and integrity of booking data and any associated configuration settings.