Description
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
Published: 2025-11-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Booking Confirmation
Action: Patch Update
AI Analysis

Impact

The Booking Calendar Contact Form plugin contains a missing authorization check in the dex_bccf_check_IPN_verification function. This flaw allows an attacker with no authentication to trigger the dex_bccf_ipn parameter, causing the plugin to confirm bookings as if a payment had been received. The result is that services can be booked and accessed without payment, potentially leading to revenue loss and service abuse.

Affected Systems

WordPress sites running the Booking Calendar Contact Form plugin from codepeople; all versions up to and including 1.2.60 are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw relies on a public WordPress endpoint and requires no authentication, it can be exploited by unauthenticated users via a crafted HTTP request, making the attack vector remote web-based.

Generated by OpenCVE AI on April 22, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking Calendar Contact Form plugin to a version newer than 1.2.60.
  • Ensure that the IPN handling endpoint is properly authenticated or restricted to trusted payment gateways.
  • Modify the plugin configuration or code to perform payment verification before confirming any booking.

Generated by OpenCVE AI on April 22, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople booking Calendar Contact Form
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople booking Calendar Contact Form
Wordpress
Wordpress wordpress

Sat, 22 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.
Title Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Codepeople Booking Calendar Contact Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:13.473Z

Reserved: 2025-11-17T15:18:42.968Z

Link: CVE-2025-13318

cve-icon Vulnrichment

Updated: 2025-11-24T19:35:00.526Z

cve-icon NVD

Status : Deferred

Published: 2025-11-22T09:15:42.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses