CVE-2025-13318
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-11-22
Last updated on: 2025-11-22
Assigner: Wordfence
Description
Description
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | booking_calendar_contact_form | 1.2.60 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Booking Calendar Contact Form plugin for WordPress is due to missing authorization checks and payment verification in a specific function. This allows unauthenticated attackers to confirm bookings arbitrarily and bypass payment requirements by manipulating a parameter.
How can this vulnerability impact me? :
This vulnerability can allow attackers to confirm bookings without paying, potentially leading to unauthorized bookings and financial loss or disruption of booking processes.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70