Impact
The Booked plugin for WordPress versions 3.0.0 and earlier contains a broken access control flaw (CWE-862) that allows a subscriber‑level user to invoke actions normally reserved for administrators or editors. This violation of the intended permission boundary can enable the attacker to alter or delete booking data, view sensitive information, or perform other high‑privilege operations, thereby compromising the integrity and confidentiality of the site.
Affected Systems
WordPress sites running the ThemeREX Booked plugin version 3.0.0 or older are impacted. The vulnerability is present in all releases of the plugin up to and including 3.0.0.
Risk and Exploitability
The issue is scored with a CVSS base score of 7.1, which reflects a high severity rating. Exploitation requires an authenticated subscriber account, so an attacker would need to obtain or create such credentials. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated request from a subscriber to a protected endpoint within the plugin, as inferred from the description of broken access control.
OpenCVE Enrichment