CVE-2025-13317 - Vulnerability Details

- Appointment Booking Calendar <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter

Description

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations.

Published: 2025-11-22

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Appointment Booking Calendar plugin allows an attacker to use the unprotected cpabc_appointments_check_IPN_verification endpoint, trusting the cpabc_ipncheck parameter sent in payment notifications. Because no authorization is performed, a malicious actor can craft a request that marks a booking as confirmed, causing it to appear in the live calendar and trigger administrative and customer notification emails. The attacker effectively gains the ability to create or alter appointments without any credentials, leading to unauthorized bookings and disruptions of booking workflows.

Affected Systems

Affected products include the codepeople Appointment Booking Calendar plugin for WordPress, specifically every release up to and including version 1.3.96. No other products or vendor versions are listed as affected. The issue originates from the plugin’s payment notification handling code.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate impact. The EPSS score is less than 1%, suggesting a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is unauthenticated HTTP requests to the exposed endpoint, which an attacker can send from anywhere on the Internet. The primary requirement for exploitation is the ability to create a POST request containing a cpabc_ipncheck value; no additional authentication or privileged access is needed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

codepeople

Appointment Booking Calendar

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.96

No data.

Vendor	Product	Confidence	Versions
Codepeople	Appointment Booking Calendar	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Appointment Booking Calendar plugin to the latest version (for example 1.3.97 or newer).
If an update is not possible, restrict access to the cpabc_appointments_check_IPN_verification endpoint to trusted sources only, or disable the endpoint completely.
Manually validate the origin and authenticity of payment notifications before confirming bookings and monitor logs for suspicious booking confirmation attempts.

Generated by OpenCVE AI on April 22, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00139.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L14
https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L363
https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L476
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399113%40appointment-booking-calendar&new=3399113%40appointment-booking-calendar&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/638217c4-7a37-49e4-8660-5510ace692ec?source=cve

History

Mon, 24 Nov 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codepeople Codepeople appointment Booking Calendar Wordpress Wordpress wordpress
Vendors & Products		Codepeople Codepeople appointment Booking Calendar Wordpress Wordpress wordpress

Sat, 22 Nov 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations.
Title		Appointment Booking Calendar <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation via 'cpabc_ipncheck' Parameter
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L14 https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L363 https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L476 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399113%40appointment-booking-calendar&new=3399113%40appointment-booking-calendar&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/638217c4-7a37-49e4-8660-5510ace692ec?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Codepeople Appointment Booking Calendar

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-22T07:29:18.875Z

Updated: 2026-04-08T16:57:22.135Z

Reserved: 2025-11-17T15:15:33.423Z

Link: CVE-2025-13317

Vulnrichment

Updated: 2025-11-24T19:30:02.956Z

NVD

Status : Deferred

Published: 2025-11-22T08:15:44.417

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13317

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object