CVE-2025-12573 is a vulnerability identified in the Bookingor WordPress plugin versions up to 1.0.12. The core issue is a missing authorization check (CWE-862) in the plugin's AJAX actions, which are exposed to authenticated users without verifying their capabilities or validating nonces. This security lapse allows low-privileged users—such as subscribers or contributors—to perform unauthorized deletion of Bookingor plugin data. The vulnerability arises because the plugin's AJAX endpoints do not enforce proper permission checks, enabling privilege escalation within the plugin's operational scope. The attack vector is network-based (AV:N), requiring low privileges (PR:L) but no user interaction (UI:N), and the scope remains unchanged (S:U). The impact affects data integrity (I:H) but not confidentiality or availability. Although no public exploits have been reported, the vulnerability poses a risk to any WordPress site using the Bookingor plugin for managing bookings or reservations. The absence of nonce and capability checks means that an attacker with minimal authenticated access can manipulate or delete critical booking data, potentially disrupting business operations or causing data loss. The vulnerability was reserved in late 2025 and published in early 2026, with no patches currently available, highlighting the need for immediate attention from site administrators.

The primary impact of CVE-2025-12573 is on the integrity of booking data managed by the Bookingor plugin. Unauthorized deletion of booking information can lead to operational disruptions, loss of customer trust, and potential financial losses for businesses relying on accurate reservation data. Since the vulnerability requires authenticated access, attackers must first compromise or gain low-level access to a WordPress user account, which is a common scenario in many environments due to weak passwords or phishing. The lack of confidentiality and availability impact means sensitive data leakage or denial of service are not direct concerns; however, the ability to delete data without proper authorization can undermine business continuity and data reliability. Organizations with high transaction volumes or critical booking systems may experience significant operational impact. Additionally, the absence of nonce checks increases the risk of Cross-Site Request Forgery (CSRF) attacks, potentially allowing attackers to exploit authenticated sessions to trigger unauthorized deletions. The medium CVSS score reflects these factors, emphasizing the need for timely mitigation to prevent exploitation.

1. Immediate mitigation involves restricting access to the Bookingor plugin's AJAX endpoints by limiting user roles that can authenticate and interact with these endpoints, ideally to trusted administrators only. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting Bookingor endpoints, especially those attempting deletion actions. 3. Monitor user activity logs for unusual deletion requests or access patterns related to Bookingor data. 4. Enforce strong authentication policies for WordPress users, including multi-factor authentication (MFA) and strong password requirements, to reduce the risk of low-privileged account compromise. 5. Until an official patch is released, consider temporarily disabling or removing the Bookingor plugin if it is not critical to operations. 6. Once available, promptly apply official patches or updates from the plugin developer that address the missing authorization checks. 7. For developers or site administrators with technical expertise, consider implementing custom code to add nonce verification and capability checks on the plugin's AJAX handlers as an interim fix. 8. Educate users about phishing and credential security to prevent unauthorized access to low-privileged accounts. These steps collectively reduce the attack surface and limit the potential for exploitation.