CVE-2026-25444 Magepeople inc. CVE debrief

Who should care

WordPress site administrators using the WpBookingly (service-booking-manager) plugin for appointment or service booking management; security teams monitoring plugin vulnerabilities; managed service providers hosting WordPress environments for clients in the hospitality, healthcare, or service industries.

Technical summary

The WpBookingly plugin for WordPress fails to properly validate authorization for certain administrative functions, allowing authenticated users with low privileges to perform actions that should require higher privileges. This broken access control vulnerability (CWE-862) exists in all versions through 1.2.9. The CVSS 3.1 score of 4.3 reflects the limited impact (integrity only) but emphasizes that exploitation requires only low-privileged network access with no user interaction.

Defensive priority

medium

Recommended defensive actions

• Verify whether WpBookingly plugin versions 1.2.9 or earlier are installed in your WordPress environment
• Upgrade to WpBookingly version 1.3.0 or later if available, or remove the plugin if no patch is available
• Review user role permissions to ensure least-privilege access controls are enforced
• Monitor WordPress audit logs for unauthorized access attempts to booking management functions
• Subscribe to Patchstack or WordPress security advisories for updates on this vulnerability

Evidence notes

The vulnerability is documented in the NVD with a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction, and low integrity impact with no confidentiality or availability impact. The weakness is classified as CWE-862 (Missing Authorization) per Patchstack's analysis.

Official resources