CVE-2025-12498 is a vulnerability classified under CWE-862 (Missing Authorization) found in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress. The issue stems from the absence of a proper capability check in the 'booking_add_notes' function, which is responsible for adding notes to bookings within the plugin's backend interface. This missing authorization allows any authenticated user with at least Subscriber-level privileges to add arbitrary notes to any booking record, regardless of ownership or role. Since Subscriber is the lowest authenticated role in WordPress, this significantly broadens the attack surface. The vulnerability does not expose sensitive data directly (no confidentiality impact) nor does it disrupt service availability. However, it compromises data integrity by enabling unauthorized modification of booking notes, which could be used for misinformation, social engineering, or manipulation of booking records. The vulnerability affects all versions of the plugin up to and including 4.2.0.0. Exploitation requires no user interaction beyond authentication and can be performed remotely over the network. The CVSS v3.1 base score is 4.3, reflecting low complexity and limited impact scope. No patches were linked at the time of disclosure, and no active exploitation has been reported. The vulnerability was reserved and published in late 2025, with Wordfence as the assigner.

The primary impact of this vulnerability is on data integrity within the affected WordPress plugin. Unauthorized users with minimal privileges can insert arbitrary notes into booking records, potentially misleading administrators or event managers. This could lead to operational confusion, fraudulent booking modifications, or social engineering attacks leveraging falsified booking information. While confidentiality and availability remain unaffected, the integrity compromise could undermine trust in booking data and event management workflows. Organizations relying on EventPrime for critical event scheduling or ticketing may face reputational damage or operational disruptions if attackers exploit this flaw. Since the attack requires only low-level authenticated access, compromised or malicious subscriber accounts could be leveraged to exploit this vulnerability. The absence of known exploits in the wild suggests limited current impact but also highlights the need for proactive mitigation before attackers develop weaponized exploits.

To mitigate this vulnerability, organizations should first monitor for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities, especially limiting access to booking management areas. Implementing strict user role management and auditing user accounts can reduce the risk of exploitation. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to add booking notes. Regularly review booking notes for suspicious or unauthorized entries to detect potential exploitation. If feasible, temporarily disable the booking note feature or restrict note creation to trusted roles only. Finally, maintain strong authentication controls and monitor logs for unusual activity related to booking modifications.