cbcvebase.
CVE-2025-12633
published 2025-11-12

CVE-2025-12633: The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check…

PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.22%
13.0th percentile
The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.

Affected

1 ranges
VendorProductVersion rangeFixed in
stellarwpbookit_booking_appointment_calendar<= 2.5.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.