Description
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.
Published: 2026-01-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation leading to data deletion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the Bookingor WordPress plugin through version 1.0.12, where authenticated AJAX actions are exposed without the proper capability or nonce checks. This flaw allows users with low privileges, such as subscribers, to trigger deletion requests that remove Bookingor data and potentially delete entire categories. The weakness is a missing authorization check, resulting in an unauthorized capability escalation that directly impacts data integrity and availability.

Affected Systems

Any WordPress site running the Bookingor plugin, version 1.0.12 or earlier, is affected. The plugin does not specify additional dependencies, so simply identifying the plugin version is sufficient. Sites that rely on this plugin for booking functionality or category management are at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity; the EPSS score is below 1%, suggesting that exploitation events are currently rare but still possible. The vulnerability is not listed in the CISA KEV catalog, so it is not a known exploited vulnerability at this time. The attack vector is inferred to be through authenticated AJAX requests made by users who normally do not have the necessary privileges, meaning an attacker needs only a low‑privilege user account and the ability to send crafted requests to the plugin’s AJAX endpoint. Because no nonce is validated, the attacker can simply call the endpoint with the required parameters to delete data.

Generated by OpenCVE AI on April 27, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Bookingor plugin to the latest available version that includes the capability and nonce checks for AJAX actions.
  • If an update cannot be applied immediately, deactivate or remove the plugin to eliminate the exposed endpoints.
  • Configure the web server or use a security plugin to block unauthenticated or low‑privilege access to the Bookingor AJAX URLs until a patch is applied.

Generated by OpenCVE AI on April 27, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-285

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.
Title Bookingor <= 1.0.12 - Subscriber+ Category Deletion
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:52.029Z

Reserved: 2025-10-31T20:55:18.575Z

Link: CVE-2025-12573

cve-icon Vulnrichment

Updated: 2026-01-20T14:31:28.056Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T06:16:00.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses