{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69340", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:23.434Z", "datePublished": "2026-03-05T05:53:32.008Z", "dateUpdated": "2026-04-28T16:14:37.892Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "wedesigntech-ultimate-booking-addon", "product": "WeDesignTech Ultimate Booking Addon", "vendor": "BuddhaThemes", "versions": [{"changes": [{"at": "1.0.4", "status": "unaffected"}], "lessThanOrEqual": "1.0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:19:41.263Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.</p>"}], "value": "Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.892Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress WeDesignTech Ultimate Booking Addon plugin <= 1.0.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:06:07.401890Z", "id": "CVE-2025-69340", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T19:50:54.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69340", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T15:06:07.401890Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:04:51.826Z"}}], "cna": {"title": "WordPress WeDesignTech Ultimate Booking Addon plugin <= 1.0.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "BuddhaThemes", "product": "WeDesignTech Ultimate Booking Addon", "versions": [{"status": "affected", "changes": [{"at": "1.0.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.3"}], "packageName": "wedesigntech-ultimate-booking-addon", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:19:41.263Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.150Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69340", "state": "PUBLISHED", "dateUpdated": "2026-04-27T19:50:54.398Z", "dateReserved": "2025-12-31T20:12:23.434Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:32.008Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WeDesignTech Ultimate Booking Addon: desde n/a hasta &lt;= 1.0.3."}], "id": "CVE-2025-69340", "lastModified": "2026-04-27T21:16:24.287", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-05T06:16:12.683", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.0.4,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WeDesignTech Ultimate Booking Addon", "source": "cna", "vendor": "BuddhaThemes"}, "product": "wedesigntech_ultimate_booking_addon", "vendor": "buddhathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:02:39.305223+00:00", "value": {"mitigation_remediation": ["Upgrade the WeDesignTech Ultimate Booking Addon to a version newer than 1.0.3", "Verify that WordPress user roles and capabilities are correctly configured and restrict booking administrative privileges to trusted accounts", "Disable or restrict access to the booking add\u2011on\u2019s settings and management pages if not needed", "Monitor server and plugin logs for unexpected access or configuration changes that could indicate exploitation"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access and Configuration Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the BuddhaThemes WeDesignTech Ultimate Booking Addon WordPress plugin in all versions from the earliest release up to and including 1.0.3. Any WordPress site that has this plugin installed and is running a version \u22641.0.3 is susceptible.", "description_and_impact": "The flaw is a missing authorization check in the WeDesignTech Ultimate Booking Addon that allows attackers to exploit incorrectly configured access control settings. An attacker who can influence the plugin\u2019s configuration may alter booking data, change settings, or gain access to privileged booking management features. This can compromise the integrity of booking information and potentially expose sensitive customer data, depending on how the plugin stores and processes booking details.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of less than 1% suggests exploitation is currently rare. The plugin is not listed in the CISA KEV catalog, reflecting a lower known exploitation status. Although the description does not specify an explicit attack vector, a missing authorization flaw typically allows exploitation through authenticated user sessions or, in some cases, unauthenticated requests to plugin endpoints that lack proper permission checks. The risk is primarily to the confidentiality and integrity of booking data and any associated configuration settings."}}}}, "created": "2026-03-06T15:14:52.519501+00:00", "updated": "2026-04-27T20:15:12.261640+00:00", "vendors": ["buddhathemes", "buddhathemes$PRODUCT$wedesigntech_ultimate_booking_addon", "wordpress", "wordpress$PRODUCT$wordpress"]}