CVE-2025-22720: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-22720) was discovered in MagePeople Team's Booking and Rental Manager WordPress plugin affecting versions through 2.2.1. The vulnerability was disclosed on January 15, 2025, and involves incorrectly configured access control security levels (Patchstack Database).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 score of 5.8 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is changed (S:C) with low impact on integrity (I:L) and no impact on confidentiality (C:N) or availability (A:N) (NVD).

The vulnerability allows unauthorized users to execute certain higher privileged actions due to broken access control mechanisms. This could potentially lead to unauthorized access to functionality that should be restricted (Patchstack Database).

Users are advised to update to version 2.2.2 or later to resolve the vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack Database).