CVE-2025-12042: 
WordPress vulnerability analysis and mitigation

The Course Booking System plugin for WordPress contains a vulnerability (CVE-2025-12042) discovered on November 7, 2025, affecting all versions up to and including 6.1.5. The vulnerability stems from a missing capability check in the csv-export.php file, which allows unauthorized access to booking data (NVD).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 5.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low confidentiality impact (C:L) and no impact on integrity (I:N) or availability (A:N) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to directly access the csv-export.php file and obtain an export of all booking data stored in the system. This represents a significant data exposure risk as sensitive booking information could be accessed without authorization (AttackerKB).

Website administrators running the Course Booking System plugin should immediately update to a version newer than 6.1.5 if available. Until an update is possible, it is recommended to implement additional access controls at the web server level to restrict access to the csv-export.php file (Wordfence).