The vulnerability in the DesignThemes Booking Manager WordPress plugin arises from a missing authorization check that permits users to bypass intended access controls. This broken access control flaw could enable an attacker, once authenticated or even unauthenticated, to perform privileged actions such as creating, modifying, or deleting bookings, accessing sensitive booking data, or altering administrative settings. The weakness is categorized under CWE-862, highlighting a failure to properly enforce authorization safeguards.

WordPress installations that have the DesignThemes Booking Manager plugin version 2.0 or earlier are affected. The plugin is available for the standard WordPress environment and is distributed under the designthemes:DesignThemes Booking Manager CNA reference. No additional product versions are listed as impacted beyond the 2.0 or earlier threshold.

The CVSS score of 7.5 classifies the issue as high severity, indicating significant potential impact. The EPSS score of less than 1% suggests that, at present, the probability of exploitation is low, and the vulnerability is not reported in the CISA KEV catalog. The most likely attack vector is a web-based interaction within a WordPress site where the plugin’s functionality is exposed, though the description does not detail prerequisites such as user roles, making the exploitable conditions uncertain. Given the lack of disclosed proof‑of‑concept exploits, the risk remains theoretical but notable for sites that rely on the plugin for booking management.