5.3
CVE-2025-4691
- EPSS 0.05%
- Veröffentlicht 31.05.2025 11:18:54
- Zuletzt bearbeitet 23.01.2026 19:32:27
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginFree Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking <= 1.3.21 - Insecure Direct Object Reference to Sensitive Information Exposure
The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
Mögliche Gegenmaßnahme
eaSYNC Booking – Hotels, Restaurants & Car Rentals: Update to version 1.3.22, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
eaSYNC Booking – Hotels, Restaurants & Car Rentals
Version
*-1.3.21
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Syntacticsinc ≫ Easync SwPlatformwordpress Version < 1.3.22
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.167 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.