CVE-2025-31896: 
WordPress vulnerability analysis and mitigation

The GetBookingsWP WordPress plugin contains a Missing Authorization vulnerability (CVE-2025-31896) that affects versions up to and including 1.1.27. The vulnerability was discovered and publicly disclosed on April 2, 2025, impacting the plugin's access control security levels (WPScan, Patchstack).

The vulnerability is classified as a Missing Authorization (CWE-862) issue, with a CVSS 3.1 Base Score of 6.5 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The security flaw stems from a missing capability check on a function that allows authenticated users with Subscriber-level access and above to perform unauthorized actions (WPScan, Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to perform unauthorized actions within the plugin's functionality. This represents a broken access control issue that could potentially compromise the security of websites using the affected plugin versions (Patchstack).

Currently, there is no official fix available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately to protect their installations (Patchstack).