CVE-2025-12633: 
WordPress vulnerability analysis and mitigation

The Booking Calendar | Appointment Booking | Bookit plugin for WordPress has been identified with vulnerability CVE-2025-12633, discovered and disclosed on November 11, 2025. The vulnerability affects all versions up to and including 2.5.0 of the plugin. This security issue stems from a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint (NVD CVE, Rapid7 DB).

The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 7.5 (HIGH). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD CVE).

The vulnerability allows unauthenticated attackers to connect their Stripe account and receive payments, effectively hijacking the payment system of affected WordPress installations. This poses a significant financial risk as attackers could potentially redirect legitimate payments to their own accounts (NVD CVE, Rapid7 DB).

A fix has been implemented in version 2.5.1 of the Bookit plugin, as evidenced by the changelog. Website administrators are strongly advised to update to this latest version to protect against unauthorized payment manipulation (WordPress Plugin).