CVE-2025-10124: 
WordPress vulnerability analysis and mitigation

The Booking Manager plugin versions before 2.1.15 contains a vulnerability that allows users with contributor and above privileges to delete bookings through an improperly secured shortcode. The vulnerability was discovered by Khaled Alenazi (Nxploited) and was publicly disclosed on September 19, 2025, with CVE identifier CVE-2025-10124. The vulnerability affects the booking-manager WordPress plugin (WPScan).

The vulnerability is classified as an Incorrect Authorization issue (CWE-863) with a CVSS score of 4.5 (medium). The vulnerability occurs because the plugin registers a shortcode that deletes bookings and makes that shortcode available to users with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted without proper authorization checks (WPScan).

When exploited, this vulnerability allows users with contributor-level access to delete any booking in the system by simply adding a malicious shortcode to a post or page. The deletion occurs when any user, including unauthenticated visitors, accesses the page containing the shortcode (WPScan).

The vulnerability has been fixed in version 2.1.15 of the Booking Manager plugin. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been provided (WPScan).