{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12842", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T20:19:03.726Z", "datePublished": "2025-11-19T05:45:10.444Z", "dateUpdated": "2026-04-08T16:34:15.985Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:15.985Z"}, "affected": [{"vendor": "timeslotplugins", "product": "Time Slot \u2013 Booking and Appointment System", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Plugin for WordPress Appointments \u2013 Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution."}], "title": "Booking Plugin for WordPress Appointments \u2013 Time Slot <= 1.4.7 - Unauthenticated Arbitrary Email Sending", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/087b6943-5da8-44fe-8614-832768444178?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L23"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2025-11-06T23:27:24.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-18T17:24:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T20:13:13.236079Z", "id": "CVE-2025-12842", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:13:20.453Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12842", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T20:13:13.236079Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:13:17.522Z"}}], "cna": {"title": "Booking Plugin for WordPress Appointments \u2013 Time Slot <= 1.4.7 - Unauthenticated Arbitrary Email Sending", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "timeslotplugins", "product": "Time Slot \u2013 Booking and Appointment System", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-06T23:27:24.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-18T17:24:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/087b6943-5da8-44fe-8614-832768444178?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L21"}, {"url": "https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L23"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Booking Plugin for WordPress Appointments \u2013 Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:15.985Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12842", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:15.985Z", "dateReserved": "2025-11-06T20:19:03.726Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-19T05:45:10.444Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Plugin for WordPress Appointments \u2013 Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution."}], "id": "CVE-2025-12842", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-19T06:15:46.990", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L21"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L23"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/087b6943-5da8-44fe-8614-832768444178?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:37:05.537179+00:00", "value": {"mitigation_remediation": ["Update the Time Slot plugin to a version newer than 1.4.7 that includes the validation patch.", "If an immediate update is not possible, block unauthenticated access to the tslot_appt_email AJAX action, for example by adding a CSRF nonce check or by denying requests to the endpoint with .htaccess or a firewall rule.", "Deploy and configure an email\u2011sending filter or security plugin (such as Wordfence) to detect and block unauthorized bulk emails originating from the site."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Email Sending"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Time Slot \u2013 Booking and Appointment System plugin by timeslotplugins. All releases up to and including version 1.4.7 are impacted; no higher\u2011numbered release is listed as affected.", "description_and_impact": "A tamper\u2011free tslot_appt_email AJAX action lacks input validation, allowing anyone to send appointment notification emails with attacker\u2011controlled message content. This flaw can be leveraged to transmit phishing or spam campaigns through the victim site, potentially compromising the site's reputation and exposing users to malicious links or attachments. The weakness corresponds to CWE-20, Input Validation.", "risk_and_exploitability": "The CVSS score is 5.3 and the EPSS score is below 1%, indicating a moderate severity with a low probability of exploitation at the time of analysis. The flaw is exploitable by unauthenticated users via a standard AJAX call, and the vulnerability is not contained in the CISA KEV catalog. Attackers need only send a crafted request to the exposed endpoint to trigger arbitrary email dispatches."}}}}, "created": "2025-11-21T09:15:53.812646+00:00", "updated": "2026-04-22T16:45:21.458213+00:00", "vendors": ["timeslotplugins", "timeslotplugins$PRODUCT$booking_plugin_for_wordpress_appointments", "wordpress", "wordpress$PRODUCT$wordpress"]}