Cyber Resilience

CVE-2025-69340

High

Published: 05 March 2026

Published
05 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69340 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2025-69340 is a missing authorization vulnerability in the WeDesignTech Ultimate Booking Addon WordPress plugin from BuddhaThemes, identified as wedesigntech-ultimate-booking-addon. The issue, classified under CWE-862, enables exploiting incorrectly configured access control security levels and affects all versions from n/a through 1.0.3. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability disruption without impacting confidentiality or integrity.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in high availability impact, typically manifesting as a denial-of-service condition against the affected WordPress site.

Patchstack has published details on this broken access control vulnerability in the WeDesignTech Ultimate Booking Addon plugin version 1.0.3, available at https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability-2?_s_id=cve. Security practitioners should consult this advisory for mitigation guidance.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Missing authorization (CWE-862) in public-facing WordPress plugin directly enables unauthenticated network exploitation (T1190) resulting in application/system DoS via crafted requests (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27388Shared CWE-862
CVE-2026-25317Shared CWE-862
CVE-2026-31921Shared CWE-862
CVE-2026-0490Shared CWE-862
CVE-2026-32441Shared CWE-862
CVE-2024-13655Shared CWE-862
CVE-2026-30970Shared CWE-862
CVE-2026-25242Shared CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to directly prevent unauthenticated exploitation of missing authorization in the plugin leading to DoS.

prevent

Requires identification, reporting, and correction of flaws like this missing authorization vulnerability through timely patching of the affected plugin.

prevent

Protects against denial-of-service events exploited via the missing authorization, limiting availability impact on the WordPress site.

References