CVE-2025-12841
published 2025-12-12CVE-2025-12841: The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.
PriorityP340medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
0.65%
46.7th percentile
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update
nuclei·CVSS 5.3
CVE-2025-12841 [MEDIUM] WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update
WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update
Bookit WordPress plugin < 2.5.1 contains a broken access control vulnerability caused by a publicly accessible REST endpoint allowing unauthenticated update of Stripe payment options, letting remote attackers modify payment settings without authentication.
Template:
id: CVE-2025-12841
info:
name: WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update
author: 0x_Akoko
severity: high
description: |
Bookit WordPress plugin < 2.5.1 contains a broken access control vulnerability caused by a publicly accessible REST endpoint allowing unauthenticated update of Stripe payment options, letting remote attackers modify payment settings without authentication.
impact: |
Remote attackers can modify Stripe payment options w
2025-12-12
Published