{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12042", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T18:53:56.509Z", "datePublished": "2025-11-08T03:27:46.819Z", "dateUpdated": "2026-04-08T16:46:35.343Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:35.343Z"}, "affected": [{"vendor": "werbeagenturcommotion", "product": "Course Booking System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data."}], "title": "Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38b2b477-5b8a-42c2-b346-57707d9a34a5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389366%40course-booking-system&new=3389366%40course-booking-system&sfp_email=&sfph_mail=#file86"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-10-23T15:25:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T17:20:09.571895Z", "id": "CVE-2025-12042", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T17:22:37.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T17:20:09.571895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T17:20:16.999Z"}}], "cna": {"title": "Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "werbeagenturcommotion", "product": "Course Booking System", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "6.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-23T15:25:06.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38b2b477-5b8a-42c2-b346-57707d9a34a5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389366%40course-booking-system&new=3389366%40course-booking-system&sfp_email=&sfph_mail=#file86"}], "descriptions": [{"lang": "en", "value": "The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-08T03:27:46.819Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12042", "state": "PUBLISHED", "dateUpdated": "2025-11-10T17:22:37.226Z", "dateReserved": "2025-10-21T18:53:56.509Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T03:27:46.819Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data."}], "id": "CVE-2025-12042", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T04:15:43.937", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389366%40course-booking-system&new=3389366%40course-booking-system&sfp_email=&sfph_mail=#file86"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38b2b477-5b8a-42c2-b346-57707d9a34a5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:01:44.255106+00:00", "value": {"mitigation_remediation": ["Upgrade the Course Booking System plugin to version 6.1.6 or later.", "Restrict web access to csv-export.php using server\u2011side access controls such as .htaccess or a firewall rule to allow only authenticated users.", "Disable or remove the CSV export feature if the plugin provides a settings toggle, ensuring that booking data cannot be downloaded without authorization."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Course Booking System plugin, version 6.1.5 or earlier. The issue exists in all releases up to and including 6.1.5.\n", "description_and_impact": "The Course Booking System plugin for WordPress contains an authorization flaw that allows any visitor to download booking data without \u201cedit_posts\u201d or other capability checks. By requesting the csv-export.php endpoint, an unauthenticated user can receive a full CSV export of all stored bookings, exposing user information, dates, and contact details. The weakness is a missing capability check, identified as CWE\u2011862 and providing a direct path to sensitive data exposure.\n", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate confidentiality impact with no authentication required. The EPSS score below 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can trigger the flaw simply by accessing the CSV export URL from any network that can reach the affected site, meaning the attack vector is network-based and does not require privileged credentials. Once the request is made, the exported data is returned without further checks.\n"}}}}, "created": "2025-11-10T09:33:29.002860+00:00", "updated": "2026-04-22T12:15:16.042128+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}