CVE-2025-15473
Received Received - Intake
Authorization Bypass in Timetics WordPress Plugin Allows Booking Manipulation

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: WPScan

Description
The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15473
EUVD
EUVD-2025-208611
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
timetics timetics to 1.0.52 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-15473 is a vulnerability in the Timetics WordPress plugin versions prior to 1.0.52. It occurs because a REST API endpoint lacks proper authorization checks, allowing unauthenticated users to modify booking information.'}, {'type': 'paragraph', 'content': 'Specifically, attackers can send POST requests to the endpoint `/wp-json/timetics/v1/bookings/{booking_id}/payment` to arbitrarily change the payment status and post status of bookings associated with the "timetics-booking" custom post type without needing to authenticate.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as broken access control (OWASP A5) and corresponds to CWE-862 (Missing Authorization).'}] [1]

Impact Analysis

This vulnerability allows unauthenticated attackers to arbitrarily change the payment status and post status of bookings in the Timetics plugin.

  • Attackers can mark payments as succeeded even if no payment was made.
  • They can manipulate booking statuses, potentially disrupting business operations.
  • This can lead to financial discrepancies, fraud, and loss of trust from customers.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the REST API endpoint associated with the Timetics plugin. Specifically, look for POST requests to the endpoint `/wp-json/timetics/v1/bookings/{booking_id}/payment` where booking_id is any booking identifier.'}, {'type': 'paragraph', 'content': 'A command to detect such activity using curl could be:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-json/timetics/v1/bookings/{booking_id}/payment -d \'{"payment_status":"succeeded","payment_method":"manual","payment_details":{"transaction_id":"attacker_controlled"}}\' -H "Content-Type: application/json"'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools or web application firewalls (WAF) can be configured to alert on POST requests to this endpoint without proper authentication.'}] [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Timetics WordPress plugin to version 1.0.52 or later, where the authorization checks on the REST endpoint have been properly implemented.

Until the update can be applied, consider restricting access to the vulnerable REST endpoint by using firewall rules or disabling the REST API for unauthenticated users if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart