CVE-2025-15473 | THREATINT

Description

The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type.

PUBLISHED Reserved 2026-01-06 | Published 2026-03-12 | Updated 2026-03-12 | Assigner WPScan

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version before 1.0.52

affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/f355e4ac-7aa6-4c5b-b1e5-b37937156583/ exploit vdb-entry technical-description

cve.org (CVE-2025-15473)

nvd.nist.gov (CVE-2025-15473)

Download JSON