WordPress Plugin Vulnerabilities

Webba Booking < 5.1.22 - Missing Authorization

Description

The Appointment Booking & Scheduling Plugin — Webba Booking Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.1.20. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
webba-booking-lite
Fixed in 5.1.22

References

CVE
CVE-2025-54040
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/760573ff-bb19-46d2-9a3f-f82875585571

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Hiro
Verified
No
WPVDB ID
4f1a7bff-3b79-43c6-b481-f44cb822d04a

Timeline

Publicly Published
2025-07-16 (about 10 months ago)
Added
2025-07-21 (about 10 months ago)
Last Updated
2025-07-21 (about 10 months ago)

Other

Published
Title
Published
2025-09-03
Title
Ai Engine < 2.9.6 - Missing Authorization to Unauthenticated Uploaded Files Disclosure And Deletion
Published
2026-01-08
Title
Zorka <= 1.5.7 - Missing Authorization
Published
2026-06-05
Title
Alba Board < 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter
Published
2022-12-05
Title
Health Check & Troubleshooting < 1.2.4 - Missing Authorization Checks
Published
2024-05-31
Title
QQWorld Auto Save Images <= 1.9.8 - Missing Authorization to Arbitrary Post Content Retrieval