CVE-2025-13317: Critical Booking Confirmation Bypass in Appointment Booking Calendar WordPress Plugin

Overview

CVE-2025-13317 identifies a missing authorization vulnerability affecting the Appointment Booking Calendar plugin for WordPress. This flaw, present in versions up to and including 1.3.96, allows unauthenticated attackers to bypass security checks and inject arbitrary bookings into the calendar. This can lead to disruption of services, unauthorized access to resources, and potential data manipulation.

Technical Details

The vulnerability stems from the plugin’s exposure of an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification). The plugin trusts attacker-supplied payment notifications received through the cpabc_ipncheck parameter without properly verifying their origin, authenticity, or requiring proper authorization. This means an attacker can craft malicious requests that mimic payment confirmations, triggering the system to create bookings without legitimate payment verification.

Specifically, the code sections in the following files are vulnerable:

• cpabc_apps_go.inc.php#L14
• cpabc_apps_go.inc.php#L363
• cpabc_apps_go.inc.php#L476

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13317 is 5.3 (Medium).

• Attack Vector (AV): Network (N)
• Attack Complexity (AC): Low (L)
• Privileges Required (PR): None (N)
• User Interaction (UI): None (N)
• Scope (S): Unchanged (U)
• Confidentiality Impact (C): None (N)
• Integrity Impact (I): Low (L)
• Availability Impact (A): None (N)

This score reflects the ease with which an attacker can exploit this vulnerability over the network without requiring any privileges or user interaction, and the resulting low impact on data integrity.

Possible Impact

Successful exploitation of CVE-2025-13317 can lead to several negative consequences:

• Arbitrary Booking Injection: Attackers can inject unauthorized bookings into the calendar, potentially blocking legitimate users from scheduling appointments.
• Disruption of Operations: The influx of fake bookings can overwhelm staff and disrupt the normal workflow of the booking system.
• Administrative and Customer Notification Spam: The system automatically sends out notifications for each booking, leading to potential spam and annoyance for both administrators and customers.
• Resource Exhaustion: A large number of fraudulent bookings can consume system resources and potentially lead to performance degradation or even denial of service.

Mitigation or Patch Steps

The primary mitigation step is to update the Appointment Booking Calendar plugin to the latest available version. The vulnerability has been addressed in versions released after 1.3.96. Check the WordPress plugin repository for updates and install the newest version immediately.

Alternatively, if updating is not immediately possible, consider temporarily disabling the plugin until an update can be applied. Additionally, review and validate all recent bookings for suspicious activity.

References

• Wordfence Threat Intelligence – Vulnerability Details
• WordPress Plugin Trac – Changeset 3399113
• Vulnerable Code Section – cpabc_apps_go.inc.php#L14
• Vulnerable Code Section – cpabc_apps_go.inc.php#L363
• Vulnerable Code Section – cpabc_apps_go.inc.php#L476