The vulnerability is an Authentication Bypass Using an Alternate Path or Channel flaw that allows an attacker to abuse authentication and potentially assume legitimate user accounts. The issue is tied to the common weakness category of Authentication and is identified as CWE-288. The effect is that without proper authentication checks, an attacker could potentially take over user accounts and access any functionality available to that role, thereby compromising confidentiality and integrity of the website data. The description explicitly states that the bug enables authentication abuse, and because the flaw remains present until version 3.0.0, any site running an affected build is exposed to this risk.

The affected system is the WordPress Booked plugin developed by Case‑Themes, specifically any installation of the plugin at version 3.0.0 or earlier. All WordPress sites that include this plugin version are subject to the flaw until a newer version is installed. No other products or versions are mentioned in the data.

The CVSS score of 6.7 places the vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a very low but non‑zero probability that the flaw is actively exploited in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no widespread exploitation has been observed. The likely attack vector is an alternate or hidden URL path that bypasses the normal authentication flow, allowing an attacker to assume a user’s identity. Successful exploitation would require only knowledge of a valid user account, so the scope is broadly limited to the site’s user base and the level of privileges granted. The risk is therefore primarily to confidentiality and potential control over the site’s administrative functions.