Timetics < 1.0.48 – Incorrect Authorization to Authenticated (Timetics Customer+) User Creation | CVE 2025-67915 | Plugin Vulnerabilities

Description

The Appointment Booking Calendar – WP Timetics Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a insufficient capability check in the api-customer.php file in all versions up to, and including, 1.0.46. This makes it possible for authenticated attackers, with Timetics Customer-level access and above, to create arbitrary user accounts.

Affects Plugins

Fixed in 1.0.48

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b50db670-856a-43d1-811e-4dc297137dc0

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

b07e0ab3-6046-462f-9bb7-adf19fee2ef2

Timeline

Publicly Published

2026-01-05 (about 4 months ago)

Added

2026-01-14 (about 4 months ago)

Last Updated

2026-01-14 (about 4 months ago)

Other

Published

Title

Published

2023-11-21

Title

Abandoned Cart Lite for WooCommerce < 5.16.1 - Improper Authorization via wcal_delete_expired_used_coupon_code

Published

2024-04-25

Title

Leaky Paywall < 4.20.9 - Missing Authorization to Price Manipulation

Published

2024-10-24

Title

Mapster WP Maps < 1.6.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update

Published

2021-11-09

Title

Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access

Published

2025-10-24

Title

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution < 4.8.5 - Incorrect Authorization to Authenticated (Editor+) License Status Update