{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5919", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-09T10:11:13.131Z", "datePublished": "2026-01-06T08:21:49.906Z", "dateUpdated": "2026-04-08T17:26:57.217Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:57.217Z"}, "affected": [{"vendor": "arraytics", "product": "Timetics \u2013 Appointment Booking & Scheduling", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.36", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking and Scheduling Calendar Plugin \u2013 WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details."}], "title": "Appointment Booking and Scheduling Calendar Plugin \u2013 WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "greenhats"}], "timeline": [{"time": "2025-06-01T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-05T20:15:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:27:18.041911Z", "id": "CVE-2025-5919", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:27:50.960Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5919", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T14:27:18.041911Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:27:42.066Z"}}], "cna": {"title": "Appointment Booking and Scheduling Calendar Plugin \u2013 WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification", "credits": [{"lang": "en", "type": "finder", "value": "greenhats"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "arraytics", "product": "Timetics \u2013 Appointment Booking & Scheduling", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.36"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-01T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-05T20:15:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56"}, {"url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592"}], "descriptions": [{"lang": "en", "value": "The Appointment Booking and Scheduling Calendar Plugin \u2013 WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:57.217Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5919", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:57.217Z", "dateReserved": "2025-06-09T10:11:13.131Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T08:21:49.906Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointment Booking and Scheduling Calendar Plugin \u2013 WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details."}], "id": "CVE-2025-5919", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T09:15:54.670", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:52:26.606546+00:00", "value": {"mitigation_remediation": ["Upgrade the Timetics plugin to version 1.0.37 or later, where the capability checks have been added", "If upgrading immediately is not possible, temporarily block or restrict the plugin\u2019s REST API routes to authenticated users through WordPress role settings or custom code", "Continuously monitor site logs for anomalous booking access patterns that may indicate exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized viewing and modification of appointment booking data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WP Timetics plugin developed by arraytics, covering all versions 1.0.36 and earlier. Users running any of these releases on their WordPress sites are potentially exposed.", "description_and_impact": "The Timetics Appointment Booking & Scheduling plugin has a missing capability check in its update and register_routes functions in all releases up to 1.0.36. This omission allows anyone who can send a request to the plugin\u2019s REST API endpoints to retrieve and edit booking details without authenticating, effectively exposing sensitive customer data and enabling tampering with scheduled appointments.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity, while an EPSS score below 1% suggests a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, and no public exploit has been reported. Likely attack vectors involve direct REST API calls to the plugin\u2019s endpoints, where the missing capability check allows unauthenticated access to booking data."}}}}, "created": "2026-01-06T14:15:46.460233+00:00", "updated": "2026-04-20T19:00:10.687793+00:00", "vendors": ["arraytics", "arraytics$PRODUCT$appointment_booking_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}