Description
The Booking Plugin for WordPress Appointments – Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution.
Published: 2025-11-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Email Sending
Action: Update Plugin
AI Analysis

Impact

A tamper‑free tslot_appt_email AJAX action lacks input validation, allowing anyone to send appointment notification emails with attacker‑controlled message content. This flaw can be leveraged to transmit phishing or spam campaigns through the victim site, potentially compromising the site's reputation and exposing users to malicious links or attachments. The weakness corresponds to CWE-20, Input Validation.

Affected Systems

The vulnerability affects the Time Slot – Booking and Appointment System plugin by timeslotplugins. All releases up to and including version 1.4.7 are impacted; no higher‑numbered release is listed as affected.

Risk and Exploitability

The CVSS score is 5.3 and the EPSS score is below 1%, indicating a moderate severity with a low probability of exploitation at the time of analysis. The flaw is exploitable by unauthenticated users via a standard AJAX call, and the vulnerability is not contained in the CISA KEV catalog. Attackers need only send a crafted request to the exposed endpoint to trigger arbitrary email dispatches.

Generated by OpenCVE AI on April 22, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Time Slot plugin to a version newer than 1.4.7 that includes the validation patch.
  • If an immediate update is not possible, block unauthenticated access to the tslot_appt_email AJAX action, for example by adding a CSRF nonce check or by denying requests to the endpoint with .htaccess or a firewall rule.
  • Deploy and configure an email‑sending filter or security plugin (such as Wordfence) to detect and block unauthorized bulk emails originating from the site.

Generated by OpenCVE AI on April 22, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 21 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Timeslotplugins
Timeslotplugins booking Plugin For Wordpress Appointments
Wordpress
Wordpress wordpress
Vendors & Products Timeslotplugins
Timeslotplugins booking Plugin For Wordpress Appointments
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Booking Plugin for WordPress Appointments – Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution.
Title Booking Plugin for WordPress Appointments – Time Slot <= 1.4.7 - Unauthenticated Arbitrary Email Sending
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Timeslotplugins Booking Plugin For Wordpress Appointments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:15.985Z

Reserved: 2025-11-06T20:19:03.726Z

Link: CVE-2025-12842

cve-icon Vulnrichment

Updated: 2025-11-19T20:13:17.522Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T06:15:46.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses