CVE-2025-12842
📋 TL;DR
This vulnerability allows unauthenticated attackers to send appointment notification emails with attacker-controlled content through the WordPress Booking Plugin for WordPress Appointments – Time Slot plugin. Attackers can abuse vulnerable WordPress sites to send phishing emails or spam to arbitrary recipients. WordPress sites using this plugin version 1.4.7 or earlier are affected.
💻 Affected Systems
- Booking Plugin for WordPress Appointments – Time Slot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Site becomes a platform for large-scale phishing campaigns, damaging reputation and potentially leading to legal liability if used to target sensitive organizations.
Likely Case
Site used for spam distribution, potentially getting blacklisted by email providers and affecting legitimate email delivery.
If Mitigated
Limited to minor spam incidents if email sending limits are enforced, but still represents unauthorized use of resources.
🎯 Exploit Status
The vulnerability is in an AJAX endpoint that lacks authentication checks, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Booking Plugin for WordPress Appointments – Time Slot'. 4. Click 'Update Now' if available, or download version 1.4.8+ from WordPress repository. 5. Replace plugin files with patched version.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd code to WordPress theme's functions.php to remove the vulnerable tslot_appt_email AJAX action
add_action('init', function() { remove_action('wp_ajax_nopriv_tslot_appt_email', 'tslot_appt_email'); });
Deactivate plugin
allTemporarily disable the plugin until patched version can be installed
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
- Configure email sending limits and monitoring to detect abuse
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Booking Plugin for WordPress Appointments – Time Slot' version 1.4.7 or earlierCheck Version:
wp plugin list --name='booking-plugin-for-wordpress-appointments-time-slot' --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.8 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /wp-admin/admin-ajax.php with action=tslot_appt_email
- Spike in outbound email traffic from WordPress
Network Indicators:
- Multiple email sending attempts to diverse recipients from single WordPress instance
SIEM Query:
source="wordpress_logs" action="admin-ajax" uri="*tslot_appt_email*" | stats count by src_ip🔗 References
- https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L21
- https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L23
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/087b6943-5da8-44fe-8614-832768444178?source=cve
