CVE-2025-6814 – Booking X 1.0 - 1.1.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via export_now() Function

https://notcve.org/view.php?id=CVE-2025-6814

03 Jul 2025 — The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request. El complemento Booking X para WordPress es vulnerable al acceso no autorizado a los datos debido a la falta de una comprobación de capacidad en la función export_now(... • https://plugins.trac.wordpress.org/browser/booking-x/tags/1.1.2/admin/class-bookingx-admin.php#L784 • CWE-862: Missing Authorization •