CVE-2025-13317
BaseFortify
Publication date: 2025-11-22
Last updated on: 2025-11-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | appointment_booking_calendar | 1.3.96 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Appointment Booking Calendar plugin for WordPress has a Missing Authorization vulnerability in all versions up to 1.3.96. It exposes an unauthenticated booking processing endpoint that accepts attacker-supplied payment notifications without verifying their origin or authenticity. This allows attackers to confirm bookings arbitrarily and insert them into the live calendar, triggering notification emails and disrupting normal operations.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to arbitrarily confirm bookings and insert fake appointments into the live calendar. This can disrupt business operations by triggering false administrative and customer notification emails, potentially causing confusion, operational inefficiencies, and loss of trust.