{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67970", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:28.856Z", "datePublished": "2026-02-20T15:46:28.741Z", "dateUpdated": "2026-04-28T16:14:24.929Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "schedula-smart-appointment-booking", "product": "Schedula", "vendor": "vertim", "versions": [{"changes": [{"at": "1.1", "status": "unaffected"}], "lessThanOrEqual": "1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ty5ona | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:27.497Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Schedula: from n/a through <= 1.0.</p>"}], "value": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.929Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/schedula-smart-appointment-booking/vulnerability/wordpress-schedula-plugin-1-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Schedula plugin <= 1.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:08:33.376185Z", "id": "CVE-2025-67970", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:08:41.872Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67970", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:08:33.376185Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:57:05.332Z"}}], "cna": {"title": "WordPress Schedula plugin <= 1.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Ty5ona | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "vertim", "product": "Schedula", "versions": [{"status": "affected", "changes": [{"at": "1.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0"}], "packageName": "schedula-smart-appointment-booking", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:27.497Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/schedula-smart-appointment-booking/vulnerability/wordpress-schedula-plugin-1-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Schedula: from n/a through <= 1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.185Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67970", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:08:41.872Z", "dateReserved": "2025-12-15T10:00:28.856Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:28.741Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en vertim Schedula schedula-smart-appointment-booking permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Schedula: desde n/a hasta &lt;= 1.0."}], "id": "CVE-2025-67970", "lastModified": "2026-04-27T18:16:51.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:03.150", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/schedula-smart-appointment-booking/vulnerability/wordpress-schedula-plugin-1-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Schedula", "source": "cna", "vendor": "vertim"}, "product": "schedula", "vendor": "vertim"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:39:56.015439+00:00", "value": {"mitigation_remediation": ["Upgrade the Vertim Schedula Smart Appointment Booking plugin to the latest version that includes the missing authorization fix.", "If an upgrade is not possible, remove or deactivate the plugin from the site to eliminate the vulnerable code.", "Restrict access to the plugin\u2019s administrative endpoints by configuring WordPress user roles so that only trusted administrators retain capabilities such as editing appointments or accessing configuration settings.", "Monitor for abnormal requests to the plugin\u2019s endpoints and consider disabling or restricting remote access to the WordPress admin area (e.g., via IP whitelisting or 2\u2011factor authentication) until a patch is applied."], "summary": {"action": "Update Plugin", "impact": "Unauthenticated access to privileged plugin functions"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of the Vertim Schedula plugin up to and including version\u00a01.0. Any WordPress site that has installed this plugin during that period is potentially affected.", "description_and_impact": "The vulnerability is caused by missing authorization checks in the Vertim Schedula Smart Appointment Booking plugin for WordPress. This broken access control allows an unauthenticated or low\u2011privileged user to invoke functionality that is intended for administrators. The result is unauthorized access to protected plugin features. The weakness is identified as CWE\u2011862. The CVE description does not detail the precise data or functions exposed, so the exact confidentiality, integrity or availability impact remains unclear, but typical implications of such flaws include unauthorized viewing or modification of appointment data or configuration settings.", "risk_and_exploitability": "The CVSS score of\u00a05.9 places the flaw in the moderate risk range. The EPSS score is less than\u00a01%, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The description does not specify the exact attack vector, but the plugin\u2019s functionality is accessed via the WordPress web interface, implying that an attacker could potentially exploit the flaw remotely over HTTP. Because the issue is a missing authorization check, the exploitation requires only that the attacker can reach the plugin\u2019s endpoints and that the plugin does not enforce role checks before processing requests."}}}}, "created": "2026-02-23T14:46:28.159199+00:00", "updated": "2026-04-28T09:45:28.454522+00:00", "vendors": ["vertim", "vertim$PRODUCT$schedula", "wordpress", "wordpress$PRODUCT$wordpress"]}