CVE-2025-12573
Authenticated AJAX Authorization Bypass in Bookingor WordPress Plugin
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bookingor | wordpress_plugin | to 1.0.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Bookingor WordPress plugin up to version 1.0.12 occurs because the plugin exposes authenticated AJAX actions without proper capability or nonce checks. This means that low-privileged users who are logged in can perform actions they should not be authorized to do, specifically deleting plugin data such as categories via the AJAX action 'bp_delete_category'. Essentially, the plugin fails to properly verify if the user has permission to perform these actions, leading to broken access control. [1]
How can this vulnerability impact me? :
This vulnerability allows low-privileged authenticated users to delete data related to the Bookingor plugin, such as categories, without proper authorization. This can lead to data loss or disruption of the plugin's functionality on your WordPress site, potentially affecting site operations or user experience. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the WordPress admin AJAX endpoint that invoke the action 'bp_delete_category'. Specifically, you can look for POST requests containing 'action=bp_delete_category' and a category ID parameter, authenticated by a logged-in user cookie. A detection command example using curl to test the vulnerability is: curl -X POST -b 'wordpress_logged_in_cookie' -d 'action=bp_delete_category&category_id=1' https://yourwordpresssite.com/wp-admin/admin-ajax.php. If the request succeeds in deleting data without proper authorization, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Since there is currently no known fix for this vulnerability, immediate mitigation steps include restricting access to the WordPress admin AJAX endpoint to trusted users only, monitoring and logging AJAX requests for suspicious activity, and limiting user privileges to prevent low-privileged users from performing sensitive actions. Additionally, consider disabling or removing the Bookingor plugin until a patch is released. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows low-privileged users to delete plugin data due to missing authorization checks, which constitutes a Broken Access Control issue. Such unauthorized data deletion could lead to non-compliance with standards like GDPR and HIPAA that require protection of data integrity and proper access controls. However, there is no explicit mention in the provided resources about direct impacts on compliance with these regulations. [1]