CVE-2025-52801: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-52801) was discovered in VonStroheim TheBooking WordPress plugin affecting versions through 1.4.4. The vulnerability was initially reported by Nguyen Ngoc Quang Bach on May 8, 2025, and was publicly disclosed on July 30, 2025. This security issue allows accessing functionality not properly constrained by Access Control Lists (ACLs) (Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 7.3 (High). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating it can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and has low impact on confidentiality, integrity, and availability (Patchstack).

The vulnerability allows an unprivileged user to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks in specific functions. This security issue is considered highly dangerous and is expected to become mass exploited (Patchstack).

As of the disclosure, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately (Patchstack).