CVE-2025-12633
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: Wordfence

Description
The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-05-07
AI Q&A
2025-11-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12633
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bookit wordpress_plugin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Booking Calendar | Appointment Booking | Bookit WordPress plugin up to version 2.5.0. It is caused by a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API endpoint, which allows unauthenticated attackers to connect their own Stripe accounts to the site and receive payments. Essentially, the REST endpoint did not properly restrict access, enabling unauthorized users to modify data related to Stripe account connections. [2]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthenticated attackers to connect their own Stripe accounts to your WordPress site via the vulnerable REST API endpoint. This means attackers could potentially receive payments intended for your site, leading to financial loss and unauthorized control over payment processing. Since the vulnerability allows unauthorized modification of data related to Stripe connections, it compromises the integrity of your payment system. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if your WordPress site is running the Bookit plugin version 2.5.0 or earlier. Specifically, monitoring requests to the REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return' for unauthorized access attempts could indicate exploitation. Using tools like curl or wget, you can test the endpoint's permission enforcement. For example, running a command like `curl -I https://your-site.com/wp-json/bookit/v1/commerce/stripe/return` and checking if it allows unauthenticated access (HTTP 200) may indicate vulnerability. Additionally, reviewing your web server logs for unexpected POST or GET requests to this endpoint from unauthenticated sources can help detect exploitation attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Bookit plugin to version 2.5.1 or later, where the vulnerability is fixed by enforcing proper permission checks on the vulnerable REST API endpoint. This update changes the permission callback to restrict access to users with the 'manage_options' capability, typically administrators, preventing unauthorized Stripe account connections. If updating immediately is not possible, consider restricting access to the '/wp-json/bookit/v1/commerce/stripe/return' endpoint via web server rules or firewall to trusted users only. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart