CVE-2025-68569
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.39.
Analysis
Broken access control in WP Time Slots Booking Form plugin (≤1.2.39) allows authenticated attackers with low-level privileges to escalate permissions and execute unauthorized administrative actions. The vulnerability stems from missing authorization checks (CWE-862), enabling privilege escalation to access, modify, or delete sensitive booking data and configuration settings. While CVSS scores 8.8 (High), real-world risk appears moderate with EPSS at 0.06% (18th percentile) and no public exploit identified at time of analysis.
Technical Context
This vulnerability represents a classic broken access control issue (CWE-862: Missing Authorization) in WordPress plugin architecture. The WP Time Slots Booking Form plugin fails to implement proper capability checks on critical administrative functions, allowing any authenticated user (subscriber, contributor, etc.) to invoke privileged operations without validation. In WordPress security context, this typically manifests as AJAX handlers or REST API endpoints lacking current_user_can() or check_admin_referer() checks. The CVSS vector PR:L indicates the attacker needs low-privilege authentication (any WordPress account), not anonymous access. This distinguishes it from unauthenticated vulnerabilities but still represents serious risk in multi-user WordPress installations where untrusted users may have subscriber-level accounts. The plugin manages time-based booking systems, meaning unauthorized access could manipulate appointment schedules, customer data, payment information, or booking availability configurations.
Affected Products
The vulnerability affects the WP Time Slots Booking Form plugin for WordPress, developed by codepeople, in all versions up to and including version 1.2.39. The affected software is specifically the wp-time-slots-booking-form plugin available through the WordPress.org plugin repository. While precise CPE identifiers are not provided in the source data, the vulnerability scope is clearly bounded to versions from initial release through 1.2.39, with version 1.2.38 explicitly confirmed vulnerable per the Patchstack advisory reference. Organizations running this plugin in multi-user WordPress environments face the highest risk, particularly those allowing untrusted user registration or managing sensitive booking data for healthcare, professional services, or appointment-based businesses.
Remediation
Site administrators should immediately upgrade WP Time Slots Booking Form to version 1.2.40 or later, which addresses the missing authorization checks according to the vulnerability disclosure scope (affects versions through 1.2.39, implying fixes in subsequent releases). The patch can be applied through WordPress admin dashboard (Plugins > Updates) or by downloading the latest version from the WordPress.org plugin repository. Detailed vulnerability information and vendor guidance is available at the Patchstack database advisory: https://patchstack.com/database/Wordpress/Plugin/wp-time-slots-booking-form/vulnerability/wordpress-wp-time-slots-booking-form-plugin-1-2-38-broken-access-control-vulnerability. As an interim mitigation while testing the update, administrators can restrict new user registration, audit existing low-privilege accounts for suspicious activity, review booking form configurations for unauthorized changes, and monitor WordPress access logs for unusual authenticated activity patterns. Organizations unable to upgrade immediately should consider temporarily disabling the plugin if booking functionality is non-critical, though this may disrupt business operations for appointment-dependent services.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today