CVE-2025-12633 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Booking Calendar | Appointment Booking | Bookit plugin for WordPress, versions up to and including 2.5.0. The root cause is the absence of a capability check on the REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return', which is responsible for handling Stripe payment connections. This missing authorization allows unauthenticated attackers to invoke this endpoint and link their own Stripe accounts to the booking system. Consequently, payments intended for the legitimate site owner can be diverted to attacker-controlled Stripe accounts, effectively enabling fraudulent receipt of funds. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and the significant integrity impact, although confidentiality and availability remain unaffected. No patches are currently listed, and no known exploits have been observed in the wild, but the vulnerability's nature suggests it could be targeted by financially motivated attackers. The plugin is widely used for appointment booking and commerce integration on WordPress sites, making this a critical issue for affected users.

For European organizations, this vulnerability poses a significant financial risk. Organizations using the Booking Calendar | Appointment Booking | Bookit plugin to process payments via Stripe could have their payment flows hijacked, leading to direct financial losses and potential reputational damage. The integrity of payment data is compromised, which may also affect accounting and compliance processes. Since the vulnerability allows unauthenticated remote exploitation, attackers can operate at scale, potentially targeting multiple organizations simultaneously. This risk is particularly acute for SMEs and service providers relying heavily on online booking and payment systems. Additionally, organizations may face regulatory scrutiny under GDPR if customer payment data or transaction integrity is compromised, even if confidentiality is not directly affected. The lack of authentication and user interaction requirements means that the attack can be automated and executed stealthily, increasing the threat level.

Immediate mitigation involves disabling or restricting access to the vulnerable REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return' until a patch is available. Organizations should implement web application firewall (WAF) rules to block unauthorized requests to this endpoint, especially from unauthenticated sources. Monitoring and logging of API calls related to Stripe account connections should be enhanced to detect suspicious activity. Site administrators should audit their Stripe account configurations to verify no unauthorized accounts have been linked. If possible, upgrade to a patched version once released by the vendor. In the interim, consider replacing the plugin with alternative booking solutions that have verified secure payment integrations. Educate site administrators about the risk and encourage regular plugin updates and security reviews. Employing least privilege principles on WordPress user roles and limiting REST API exposure can also reduce attack surface.