CVE-2025-12633 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Booking Calendar | Appointment Booking | Bookit plugin developed by stellarwp for WordPress. The vulnerability exists because the REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return' lacks proper capability checks, allowing unauthenticated users to invoke this endpoint. This endpoint is responsible for handling Stripe payment returns, and due to the missing authorization, attackers can connect their own Stripe accounts to the booking system. Consequently, attackers can manipulate the payment flow to receive payments intended for the legitimate site owner. The vulnerability affects all versions up to and including 2.5.0. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of remote exploitation without authentication or user interaction, and the significant impact on data integrity. While no public exploits have been reported yet, the vulnerability poses a serious risk to the financial transactions of affected websites. The flaw does not compromise confidentiality or availability but allows unauthorized modification of commerce data, which can lead to financial theft and loss of trust. The lack of a patch at the time of reporting increases the urgency for mitigation.

The primary impact of CVE-2025-12633 is financial fraud through unauthorized redirection of payments. Organizations using the affected plugin for appointment booking and payment processing via Stripe are at risk of losing revenue as attackers can receive payments meant for the legitimate business. This undermines the integrity of the commerce system and can lead to significant financial losses. Additionally, exploitation could damage the reputation and trustworthiness of affected organizations, potentially resulting in customer attrition and legal liabilities. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks, increasing the risk of widespread abuse. Although confidentiality and availability are not directly impacted, the integrity breach in payment processing is critical for businesses relying on this plugin. The absence of known exploits in the wild currently provides a limited window for remediation before active exploitation may occur.

1. Immediate action should be to update the Booking Calendar | Appointment Booking | Bookit plugin to a patched version once available from the vendor. 2. Until a patch is released, disable or restrict access to the vulnerable REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return' via web application firewall (WAF) rules or server-level access controls to prevent unauthenticated calls. 3. Monitor Stripe account activity closely for any unauthorized connections or transactions. 4. Implement strict Stripe webhook verification and ensure that payment processing workflows include robust authorization checks. 5. Limit plugin usage to trusted administrators and consider alternative booking plugins with verified security postures if immediate patching is not feasible. 6. Conduct regular security audits and penetration testing focusing on REST API endpoints to detect missing authorization issues. 7. Educate site administrators about the risks of unauthorized API access and encourage prompt application of security updates.