CVE-2025-15473
Authorization Bypass in Timetics WordPress Plugin Allows Booking Manipulation
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| timetics | timetics | to 1.0.52 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-15473 is a vulnerability in the Timetics WordPress plugin versions prior to 1.0.52. It occurs because a REST API endpoint lacks proper authorization checks, allowing unauthenticated users to modify booking information.'}, {'type': 'paragraph', 'content': 'Specifically, attackers can send POST requests to the endpoint `/wp-json/timetics/v1/bookings/{booking_id}/payment` to arbitrarily change the payment status and post status of bookings associated with the "timetics-booking" custom post type without needing to authenticate.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as broken access control (OWASP A5) and corresponds to CWE-862 (Missing Authorization).'}] [1]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to arbitrarily change the payment status and post status of bookings in the Timetics plugin.
- Attackers can mark payments as succeeded even if no payment was made.
- They can manipulate booking statuses, potentially disrupting business operations.
- This can lead to financial discrepancies, fraud, and loss of trust from customers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the REST API endpoint associated with the Timetics plugin. Specifically, look for POST requests to the endpoint `/wp-json/timetics/v1/bookings/{booking_id}/payment` where booking_id is any booking identifier.'}, {'type': 'paragraph', 'content': 'A command to detect such activity using curl could be:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-json/timetics/v1/bookings/{booking_id}/payment -d \'{"payment_status":"succeeded","payment_method":"manual","payment_details":{"transaction_id":"attacker_controlled"}}\' -H "Content-Type: application/json"'}, {'type': 'paragraph', 'content': 'Additionally, network monitoring tools or web application firewalls (WAF) can be configured to alert on POST requests to this endpoint without proper authentication.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Timetics WordPress plugin to version 1.0.52 or later, where the authorization checks on the REST endpoint have been properly implemented.
Until the update can be applied, consider restricting access to the vulnerable REST endpoint by using firewall rules or disabling the REST API for unauthenticated users if possible.