CVE-2025-13318
📋 TL;DR
The Booking Calendar Contact Form WordPress plugin has a missing authorization vulnerability that allows unauthenticated attackers to confirm bookings without payment. This affects all WordPress sites using plugin versions up to 1.2.60. Attackers can bypass payment requirements and arbitrarily mark bookings as confirmed.
💻 Affected Systems
- Booking Calendar Contact Form WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could book all available time slots without payment, causing financial loss and service disruption for businesses relying on booking revenue.
Likely Case
Attackers exploit the vulnerability to book services or appointments without paying, resulting in lost revenue and potential double-booking issues.
If Mitigated
With proper monitoring and rate limiting, impact is limited to occasional unauthorized bookings that can be manually reviewed and corrected.
🎯 Exploit Status
The vulnerability is simple to exploit via HTTP requests to the vulnerable endpoint with the dex_bccf_ipn parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.61 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Booking Calendar Contact Form. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.61+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate booking-calendar-contact-form
Block Vulnerable Endpoint
linuxBlock access to the vulnerable IPN verification endpoint via web server configuration
# Apache: <LocationMatch "dex_bccf_ipn">
Order deny,allow
Deny from all
</LocationMatch>
# Nginx: location ~* dex_bccf_ipn { deny all; }
🧯 If You Can't Patch
- Implement web application firewall rules to block requests containing 'dex_bccf_ipn' parameter
- Monitor booking confirmations for suspicious patterns and implement manual review process
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Booking Calendar Contact Form. If version is 1.2.60 or lower, you are vulnerable.Check Version:
wp plugin get booking-calendar-contact-form --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.2.61 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to WordPress containing 'dex_bccf_ipn' parameter
- Multiple booking confirmations from same IP without corresponding payment logs
Network Indicators:
- Unusual spike in requests to booking confirmation endpoints
- Requests bypassing payment gateway callbacks
SIEM Query:
source="web_server" AND uri="*dex_bccf_ipn*" AND response_code=200🔗 References
- https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409
- https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399906%40booking-calendar-contact-form&new=3399906%40booking-calendar-contact-form&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve
