CVE-2025-47585: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-47585) was discovered in the Mage people team's Booking and Rental Manager WordPress plugin, affecting versions through 2.3.8. The vulnerability was reported on May 2, 2025, by researcher ghsinfosec and was publicly disclosed on May 22, 2025 (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) where functionality is not properly constrained by Access Control Lists (ACLs). It received a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating that it is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization checks. This broken access control issue could potentially lead to unauthorized access to functionality that should be restricted (Patchstack).

The vulnerability has been fixed in version 2.3.9 of the Booking and Rental Manager plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).