CVE-2025-12633
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-12

Assigner: Wordfence

Description
The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12633
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bookit wordpress_plugin *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Booking Calendar | Appointment Booking | Bookit WordPress plugin up to version 2.5.0. It is caused by a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API endpoint, which allows unauthenticated attackers to connect their own Stripe accounts to the site and receive payments. Essentially, the REST endpoint did not properly restrict access, enabling unauthorized users to modify data related to Stripe account connections. [2]

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to connect their own Stripe accounts to your WordPress site via the vulnerable REST API endpoint. This means attackers could potentially receive payments intended for your site, leading to financial loss and unauthorized control over payment processing. Since the vulnerability allows unauthorized modification of data related to Stripe connections, it compromises the integrity of your payment system. [2]

Detection Guidance

You can detect this vulnerability by checking if your WordPress site is running the Bookit plugin version 2.5.0 or earlier. Specifically, monitoring requests to the REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return' for unauthorized access attempts could indicate exploitation. Using tools like curl or wget, you can test the endpoint's permission enforcement. For example, running a command like `curl -I https://your-site.com/wp-json/bookit/v1/commerce/stripe/return` and checking if it allows unauthenticated access (HTTP 200) may indicate vulnerability. Additionally, reviewing your web server logs for unexpected POST or GET requests to this endpoint from unauthenticated sources can help detect exploitation attempts. [2]

Mitigation Strategies

The immediate mitigation step is to update the Bookit plugin to version 2.5.1 or later, where the vulnerability is fixed by enforcing proper permission checks on the vulnerable REST API endpoint. This update changes the permission callback to restrict access to users with the 'manage_options' capability, typically administrators, preventing unauthorized Stripe account connections. If updating immediately is not possible, consider restricting access to the '/wp-json/bookit/v1/commerce/stripe/return' endpoint via web server rules or firewall to trusted users only. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart