CVE-2025-66123 Overview
CVE-2025-66123 is an Insecure Direct Object Reference (IDOR) vulnerability affecting the BookPro WordPress plugin (also known as ovabookpro) in versions up to and including 1.1.0. The flaw allows unauthenticated remote attackers to access objects belonging to other users by manipulating identifier parameters in requests. The vulnerability maps to CWE-639: Authorization Bypass Through User-Controlled Key and results in unauthorized disclosure of resources managed by the plugin.
Critical Impact
Unauthenticated attackers can enumerate and access booking-related objects owned by other users over the network without any user interaction, leading to confidentiality loss across the affected WordPress installation.
Affected Products
- BookPro WordPress plugin (ovabookpro) versions <= 1.1.0
- WordPress sites running the vulnerable BookPro plugin
- Any deployment exposing BookPro endpoints to unauthenticated network traffic
Discovery Timeline
- 2026-06-26 - CVE-2025-66123 published to the National Vulnerability Database
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2025-66123
Vulnerability Analysis
The BookPro plugin exposes functionality that references internal objects using identifiers supplied in HTTP requests. The plugin fails to verify that the requesting user is authorized to access the referenced object. An attacker can substitute another user's identifier and receive that user's data in the response.
Because the flaw does not require authentication, the attack surface extends to any client that can reach the WordPress site. The impact is limited to confidentiality; the vulnerability does not, on its own, allow modification or destruction of data. The Patchstack Vulnerability Report documents the affected plugin and version range.
EPSS data as of 2026-07-02 places the probability of exploitation activity in the lower percentiles, and no public exploit or CISA KEV listing exists at the time of writing.
Root Cause
The root cause is a missing authorization check on object references. The plugin trusts identifiers supplied by the client and returns the corresponding record without validating ownership or user permissions. This is a canonical [CWE-639] pattern where authorization is bypassed through a user-controlled key.
Attack Vector
Exploitation is performed over the network by sending crafted HTTP requests to vulnerable BookPro endpoints. The attacker iterates through predictable numeric or sequential object identifiers and reads responses. No credentials, tokens, or user interaction are required.
// No verified proof-of-concept code is available.
// See the Patchstack advisory linked above for technical details
// on the vulnerable parameter and endpoint.
Detection Methods for CVE-2025-66123
Indicators of Compromise
- Sequential or enumerative HTTP requests to BookPro plugin endpoints referencing incrementing numeric object identifiers
- Unauthenticated requests to plugin endpoints returning records associated with multiple distinct users
- Elevated request rates from a single source IP toward ovabookpro routes
Detection Strategies
- Inspect web server and WordPress access logs for unauthenticated requests to BookPro endpoints with varying id-style parameters
- Correlate response sizes and status codes against user-scope expectations to identify cross-user data retrieval
- Deploy Web Application Firewall (WAF) rules that flag sequential identifier enumeration against plugin routes
Monitoring Recommendations
- Alert on unauthenticated GET or POST activity targeting BookPro endpoints from external IP addresses
- Track anomalous volumes of requests to WordPress plugin paths and baseline typical booking traffic
- Forward WordPress and reverse proxy logs to a centralized analytics platform to enable enumeration detection
How to Mitigate CVE-2025-66123
Immediate Actions Required
- Identify all WordPress sites running the BookPro (ovabookpro) plugin at version 1.1.0 or earlier
- Update BookPro to a version above 1.1.0 once a fixed release is available from the vendor
- Restrict network access to affected endpoints until patching is complete
Patch Information
Refer to the Patchstack Vulnerability Report for the authoritative advisory, fixed-version details, and vendor guidance. Apply the vendor-supplied update through the WordPress plugin update mechanism.
Workarounds
- Temporarily deactivate the BookPro plugin on affected sites until an update is applied
- Enforce WAF rules that require authentication for BookPro object retrieval endpoints and block sequential identifier enumeration
- Restrict access to plugin routes by IP allowlisting where administratively feasible
# Example: block unauthenticated access to BookPro endpoints at the reverse proxy (nginx)
location ~* /wp-content/plugins/ovabookpro/ {
# require authentication or restrict by IP until patched
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

