{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12573", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-10-31T20:55:18.575Z", "datePublished": "2026-01-20T06:00:06.707Z", "dateUpdated": "2026-04-02T12:39:52.029Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:52.029Z"}, "title": "Bookingor <= 1.0.12 - Subscriber+ Category Deletion", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Bookingor", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.0.12"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data."}], "references": [{"url": "https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T14:30:51.351313Z", "id": "CVE-2025-12573", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:31:33.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-12573", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T14:30:51.351313Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T14:31:28.056Z"}}], "cna": {"title": "Bookingor <= 1.0.12 - Subscriber+ Category Deletion", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Bookingor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.12"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:52.029Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12573", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:52.029Z", "dateReserved": "2025-10-31T20:55:18.575Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-01-20T06:00:06.707Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data."}, {"lang": "es", "value": "El plugin de WordPress Bookingor hasta la versi\u00f3n 1.0.12 expone acciones AJAX autenticadas sin comprobaciones de capacidad o nonce, permitiendo a usuarios con pocos privilegios eliminar datos del plugin de WordPress Bookingor hasta la versi\u00f3n 1.0.12."}], "id": "CVE-2025-12573", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-20T06:16:00.080", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:38:29.409052+00:00", "value": {"mitigation_remediation": ["Update the Bookingor plugin to the latest available version that includes the capability and nonce checks for AJAX actions.", "If an update cannot be applied immediately, deactivate or remove the plugin to eliminate the exposed endpoints.", "Configure the web server or use a security plugin to block unauthenticated or low\u2011privilege access to the Bookingor AJAX URLs until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation leading to data deletion"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the Bookingor plugin, version 1.0.12 or earlier, is affected. The plugin does not specify additional dependencies, so simply identifying the plugin version is sufficient. Sites that rely on this plugin for booking functionality or category management are at risk.", "description_and_impact": "The vulnerability lies in the Bookingor WordPress plugin through version 1.0.12, where authenticated AJAX actions are exposed without the proper capability or nonce checks. This flaw allows users with low privileges, such as subscribers, to trigger deletion requests that remove Bookingor data and potentially delete entire categories. The weakness is a missing authorization check, resulting in an unauthorized capability escalation that directly impacts data integrity and availability.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity; the EPSS score is below 1%, suggesting that exploitation events are currently rare but still possible. The vulnerability is not listed in the CISA KEV catalog, so it is not a known exploited vulnerability at this time. The attack vector is inferred to be through authenticated AJAX requests made by users who normally do not have the necessary privileges, meaning an attacker needs only a low\u2011privilege user account and the ability to send crafted requests to the plugin\u2019s AJAX endpoint. Because no nonce is validated, the attacker can simply call the endpoint with the required parameters to delete data."}}}}, "created": "2026-01-21T11:19:42.620956+00:00", "updated": "2026-04-27T21:45:14.529357+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-285", "CWE-269"]}