CVE-2025-69340
Published: 05 March 2026
Summary
CVE-2025-69340 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2025-69340 is a missing authorization vulnerability in the WeDesignTech Ultimate Booking Addon WordPress plugin from BuddhaThemes, identified as wedesigntech-ultimate-booking-addon. The issue, classified under CWE-862, enables exploiting incorrectly configured access control security levels and affects all versions from n/a through 1.0.3. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for significant availability disruption without impacting confidentiality or integrity.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in high availability impact, typically manifesting as a denial-of-service condition against the affected WordPress site.
Patchstack has published details on this broken access control vulnerability in the WeDesignTech Ultimate Booking Addon plugin version 1.0.3, available at https://patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability-2?_s_id=cve. Security practitioners should consult this advisory for mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208307
Vulnerability details
Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables unauthenticated network exploitation (T1190) resulting in application/system DoS via crafted requests (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations to directly prevent unauthenticated exploitation of missing authorization in the plugin leading to DoS.
Requires identification, reporting, and correction of flaws like this missing authorization vulnerability through timely patching of the affected plugin.
Protects against denial-of-service events exploited via the missing authorization, limiting availability impact on the WordPress site.