CVE-2025-12573
Unknown Unknown - Not Provided
Authenticated AJAX Authorization Bypass in Bookingor WordPress Plugin

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: WPScan

Description
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12573
EUVD
EUVD-2026-3442
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bookingor wordpress_plugin to 1.0.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Bookingor WordPress plugin up to version 1.0.12 occurs because the plugin exposes authenticated AJAX actions without proper capability or nonce checks. This means that low-privileged users who are logged in can perform actions they should not be authorized to do, specifically deleting plugin data such as categories via the AJAX action 'bp_delete_category'. Essentially, the plugin fails to properly verify if the user has permission to perform these actions, leading to broken access control. [1]

Impact Analysis

This vulnerability allows low-privileged authenticated users to delete data related to the Bookingor plugin, such as categories, without proper authorization. This can lead to data loss or disruption of the plugin's functionality on your WordPress site, potentially affecting site operations or user experience. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the WordPress admin AJAX endpoint that invoke the action 'bp_delete_category'. Specifically, you can look for POST requests containing 'action=bp_delete_category' and a category ID parameter, authenticated by a logged-in user cookie. A detection command example using curl to test the vulnerability is: curl -X POST -b 'wordpress_logged_in_cookie' -d 'action=bp_delete_category&category_id=1' https://yourwordpresssite.com/wp-admin/admin-ajax.php. If the request succeeds in deleting data without proper authorization, the vulnerability is present. [1]

Mitigation Strategies

Since there is currently no known fix for this vulnerability, immediate mitigation steps include restricting access to the WordPress admin AJAX endpoint to trusted users only, monitoring and logging AJAX requests for suspicious activity, and limiting user privileges to prevent low-privileged users from performing sensitive actions. Additionally, consider disabling or removing the Bookingor plugin until a patch is released. [1]

Compliance Impact

The vulnerability allows low-privileged users to delete plugin data due to missing authorization checks, which constitutes a Broken Access Control issue. Such unauthorized data deletion could lead to non-compliance with standards like GDPR and HIPAA that require protection of data integrity and proper access controls. However, there is no explicit mention in the provided resources about direct impacts on compliance with these regulations. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12573. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart