Description
The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.
Published: 2025-11-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payment Connection
Action: Patch Now
AI Analysis

Impact

The Booking Calendar | Appointment Booking | Bookit plugin exposes a REST endpoint that lacks a proper capability check, permitting an unauthenticated attacker to link their own Stripe account and receive future payments. This flaw results in unauthorized modification of the payment routing and potential loss of revenue for the site owner.

Affected Systems

The vulnerability is present in version 2.5.0 and earlier of the Bookit plugin for WordPress, affecting any site that installs these releases without further remediation.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit the unauthenticated '/wp-json/bookit/v1/commerce/stripe/return' endpoint by crafting a request that binds their own Stripe account, without needing credentials or prior permissions.

Generated by OpenCVE AI on April 27, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Bookit plugin to version 2.5.1 or newer.
  • Set authentication requirements on the '/wp-json/bookit/v1/commerce/stripe/return' endpoint to prevent unauthenticated access until the flaw is patched.
  • Periodically audit Stripe connected accounts and transaction logs for any unauthorized connections and alert site administrators immediately.

Generated by OpenCVE AI on April 27, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Stellarwp
Stellarwp booking Calendar
Wordpress
Wordpress wordpress
Vendors & Products Stellarwp
Stellarwp booking Calendar
Wordpress
Wordpress wordpress

Wed, 12 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments.
Title Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Stellarwp Booking Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:40.502Z

Reserved: 2025-11-03T14:50:09.806Z

Link: CVE-2025-12633

cve-icon Vulnrichment

Updated: 2025-11-12T14:23:20.484Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T08:15:41.073

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:00:13Z

Weaknesses