Home

Description

The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.

PUBLISHED Reserved 2025-11-06 | Published 2025-12-12 | Updated 2025-12-12 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version before 2.5.1
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/60cb3d5f-1aa5-4858-ab84-07fe7c023fdd/ exploit vdb-entry technical-description

cve.org (CVE-2025-12841)

nvd.nist.gov (CVE-2025-12841)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.