CVE-2025-12633
📋 TL;DR
The Bookit WordPress plugin has a missing capability check on its Stripe return endpoint, allowing unauthenticated attackers to connect their own Stripe account and receive payments meant for the site owner. This affects all WordPress sites using Bookit plugin versions up to 2.5.0. Attackers can redirect payments to themselves without any authentication.
💻 Affected Systems
- Booking Calendar | Appointment Booking | Bookit WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
All payments processed through the plugin are redirected to attacker-controlled Stripe accounts, resulting in complete revenue loss and potential legal/financial liability.
Likely Case
Attackers connect their Stripe account and receive some payments before detection, causing financial loss and payment processing disruption.
If Mitigated
No impact if plugin is patched or disabled, or if Stripe integration is not configured.
🎯 Exploit Status
Simple HTTP POST to vulnerable endpoint with attacker's Stripe credentials; no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3393159/bookit/tags/2.5.1/src/Bookit/Gateways/StripeConnect/REST/Return_Endpoint.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Bookit' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.5.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Bookit Plugin
allTemporarily deactivate the vulnerable plugin until patched.
wp plugin deactivate bookit
Block REST API Endpoint
linuxUse web application firewall or .htaccess to block access to vulnerable endpoint.
RewriteEngine On
RewriteRule ^wp-json/bookit/v1/commerce/stripe/return - [F,L]
🧯 If You Can't Patch
- Disable the Bookit plugin immediately and use alternative booking solution.
- Implement network-level blocking of /wp-json/bookit/v1/commerce/stripe/return endpoint.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Bookit version. If version ≤2.5.0, you are vulnerable.Check Version:
wp plugin get bookit --field=versionVerify Fix Applied:
Confirm Bookit plugin version is 2.5.1 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-json/bookit/v1/commerce/stripe/return from unexpected IPs
- Stripe API connection attempts from unknown accounts
Network Indicators:
- POST requests to vulnerable endpoint without authentication headers
- Unexpected Stripe webhook callbacks
SIEM Query:
source="web_logs" AND uri_path="/wp-json/bookit/v1/commerce/stripe/return" AND http_method="POST"🔗 References
- https://plugins.trac.wordpress.org/changeset/3393159/bookit/tags/2.5.1/src/Bookit/Gateways/StripeConnect/REST/Return_Endpoint.php?old=3121677&old_path=bookit%2Ftags%2F2.5.0%2Fsrc%2FBookit%2FGateways%2FStripeConnect%2FREST%2FReturn_Endpoint.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2263d356-b2ed-4e16-98ee-b01d4274d1d9?source=cve
