Описание
The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers.
The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-14065
- https://plugins.trac.wordpress.org/browser/simple-bike-rental/tags/1.0.5/includes/ajax.php#L137
- https://plugins.trac.wordpress.org/browser/simple-bike-rental/trunk/includes/ajax.php#L137
- https://plugins.trac.wordpress.org/changeset/3414692/simple-bike-rental
- https://www.wordfence.com/threat-intel/vulnerabilities/id/06f4e758-3328-4ac1-956a-cfadddd12e53?source=cve
Связанные уязвимости
The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers.