WordPress Plugin Vulnerabilities

Webba Booking < 6.2.2 - Missing Authorization

Description

The Easy Appointment Booking & Scheduling System – Webba Booking Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
webba-booking-lite
Fixed in 6.2.2

References

CVE
CVE-2025-66530
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/30cf9783-6422-43f8-b5dc-a613a9513296

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
565c10bd-c5ce-4ff9-9b06-e4dbfc91cc4d

Timeline

Publicly Published
2025-12-15 (about 6 months ago)
Added
2025-12-20 (about 5 months ago)
Last Updated
2025-12-20 (about 5 months ago)

Other

Published
Title
Published
2023-08-29
Title
Pricing Deals for WooCommerce <= 2.0.3.2 - Missing Authorization via vtprd_ajax_clone_rule
Published
2025-04-28
Title
SecuPress Free < 2.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Published
2024-05-03
Title
ConvertPlug < 3.5.26 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Published
2024-12-17
Title
Agency Toolkit < 1.0.24 - Unauthenticated Arbitrary Options Update
Published
2025-12-15
Title
Simple Link Directory < 8.8.4 - Missing Authorization