Overview
CVE-2025-13318 is a medium severity vulnerability affecting the Booking Calendar Contact Form plugin for WordPress. This vulnerability, present in versions up to and including 1.2.60, allows unauthenticated attackers to bypass payment requirements and arbitrarily confirm bookings. This is due to a missing authorization check and payment verification within the dex_bccf_check_IPN_verification function.
Technical Details
The vulnerability lies within the dex_bccf_check_IPN_verification function, which handles IPN (Instant Payment Notification) verification for bookings. Due to the absence of proper authorization checks and verification that a payment has actually been made, an attacker can send a crafted request with the dex_bccf_ipn parameter to trigger the booking confirmation process without completing the payment. This allows unauthorized users to confirm bookings they haven’t paid for, effectively bypassing the intended payment workflow.
Affected function:
dex_bccf_check_IPN_verification
Vulnerable parameter:
dex_bccf_ipn
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13318 is 5.3 (Medium).
This score reflects the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L)
- Availability Impact (A): None (N)
The vulnerability is remotely exploitable with no user interaction and no required privileges. While it doesn’t directly compromise confidentiality or availability, it does negatively impact the integrity of the booking system by allowing fraudulent booking confirmations.
Possible Impact
The exploitation of CVE-2025-13318 can have several negative consequences:
- Financial Loss: Attackers can bypass payment requirements, leading to revenue loss for the website owner.
- Resource Depletion: Fraudulent bookings can occupy limited resources (e.g., rooms, appointments), preventing legitimate customers from booking.
- Reputation Damage: Customers who are unable to book due to fraudulent reservations may have a negative experience, damaging the website’s reputation.
Mitigation and Patch Steps
The recommended course of action is to update the Booking Calendar Contact Form plugin to the latest version as soon as possible. The vulnerability has been addressed in versions released after 1.2.60.
To update the plugin:
- Log in to your WordPress dashboard.
- Navigate to the “Plugins” section.
- Locate the “Booking Calendar Contact Form” plugin.
- If an update is available, click the “Update Now” button.
If you are unable to update immediately, consider temporarily disabling the plugin until an update can be performed.