CVE-2025-10124 | THREATINT

Description

The Booking Manager WordPress plugin before 2.1.15 registers a shortcode that deletes bookings and makes that shortcode available to anyone with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted.

PUBLISHED Reserved 2025-09-08 | Published 2025-10-10 | Updated 2025-10-10 | Assigner WPScan

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version before 2.1.15

affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/9bb0589f-34bb-40e1-b7f0-ee883b7b896c/ exploit vdb-entry technical-description

cve.org (CVE-2025-10124)

nvd.nist.gov (CVE-2025-10124)

Download JSON