Overview
CVE-2025-12842 is a medium-severity vulnerability affecting the Booking Plugin for WordPress Appointments – Time Slot plugin, impacting versions up to and including 1.4.7. This vulnerability allows unauthenticated attackers to send arbitrary emails via the plugin’s AJAX functionality. Due to missing validation on the tslot_appt_email AJAX action, attackers can craft malicious requests to send appointment notification emails to any recipient with attacker-controlled content. This poses a significant risk of phishing campaigns and spam distribution.
Technical Details
The vulnerability stems from the lack of proper input validation and sanitization within the tslot_appt_email AJAX action. Specifically, the code responsible for processing email requests fails to verify the authenticity of the request or validate the email addresses and content being used. This allows an unauthenticated attacker to bypass security measures and inject malicious content into the email body, subject, and recipient fields.
The vulnerability can be traced back to the following files in versions prior to the patch:
public/form/email.php(Line 21) – Potentially vulnerable code handling email parameters.public/form/email.php(Line 23) – Further potentially vulnerable code handling email parameters.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12842 is 5.3 (MEDIUM).
This score reflects the following characteristics:
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Unchanged (S:U)
- Confidentiality Impact: None (C:N)
- Integrity Impact: Low (I:L)
- Availability Impact: None (A:N)
Possible Impact
Exploitation of this vulnerability can lead to several negative consequences:
- Phishing Campaigns: Attackers can craft emails that appear to originate from the website, tricking users into providing sensitive information.
- Spam Distribution: The website can be used as a relay for sending unsolicited emails, potentially damaging the site’s reputation and leading to blacklisting.
- Brand Impersonation: Attackers can impersonate the website owner or staff, sending fraudulent emails that damage the brand’s reputation.
Mitigation and Patch Steps
The recommended mitigation steps are as follows:
- Update the Plugin: The vulnerability has been patched in a later version of the Time Slot plugin. Immediately update to the latest version available.
- Monitor Website Traffic: Keep a close eye on website traffic for any unusual activity, such as a sudden increase in email sending.
- Implement Email Security Measures: Implement SPF, DKIM, and DMARC records to help prevent email spoofing.
