Booking Calendar | Appointment Booking | Bookit < 2.5.1 – Missing Authorization to Unauthenticated Stripe Connection | CVE 2025-12633 | Plugin Vulnerabilities

Description

The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.

Affects Plugins

Fixed in 2.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2263d356-b2ed-4e16-98ee-b01d4274d1d9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

Verified

No

WPVDB ID

838616fa-0f24-4fb1-8f2c-eddf35b1046b

Timeline

Publicly Published

2025-11-11 (about 6 months ago)

Added

2025-11-11 (about 6 months ago)

Last Updated

2025-11-12 (about 6 months ago)

Other

Published

Title

Published

2024-07-04

Title

The Post Grid < 7.7.5 - Missing Authorization via save_block_css

Published

2023-10-19

Title

WP EXtra < 6.3 - Missing Authorization to Export Settings

Published

2025-12-29

Title

Product Delivery Date for WooCommerce – Lite < 3.3.0 - Missing Authorization

Published

2025-12-18

Title

DesignThemes LMS Addon <= 2.6 - Missing Authorization

Published

2025-11-09

Title

WP Delicious < 1.9.2 - Missing Authorization