Unauthorized Data Modification in Booking Calendar Plugin for WordPress
CVE-2025-12633

7.5HIGH

Key Information:

Vendor: WordPress
Status: Booking Calendar | Appointment Booking | Bookit
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-12633?

The Booking Calendar | Appointment Booking | Bookit plugin for WordPress has a critical flaw that allows for unauthorized data modification via a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint. This vulnerability impacts all versions up to and including 2.5.0, allowing unauthenticated attackers to link their own Stripe accounts, consequently enabling them to receive payments, which can lead to severe financial fraud.

Affected Version(s)

Booking Calendar | Appointment Booking | Bookit * <= 2.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3393159/book...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Md. Moniruzzaman Prodhan

JSON