CVE-2025-32231: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in the WordPress Bookingor plugin affecting versions through 1.0.6. The vulnerability was discovered by researcher Pham Van Tam on January 21, 2025, and was publicly disclosed on April 4, 2025. The vulnerability has been assigned CVE-2025-32231 and allows exploitation of incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating that the vulnerability requires network access, low attack complexity, low privileges, and no user interaction. The vulnerability stems from missing authorization checks that could allow unprivileged users to execute higher privileged actions (Patchstack).

The vulnerability has been assessed as having a low severity impact. It affects the integrity of the system but does not impact confidentiality or availability. The vulnerability requires subscriber-level privileges to exploit (Patchstack).

As of April 2025, no official fix is available for this vulnerability. Given the low severity impact, virtual patching has been deemed unnecessary (Patchstack).