CVE-2025-12841 is a security vulnerability classified under CWE-862 (Missing Authorization) found in the Bookit WordPress plugin prior to version 2.5.1. The flaw resides in a REST API endpoint that is publicly accessible and does not require authentication, allowing any unauthenticated user to update the plugin's Stripe payment options. Stripe payment options typically include critical configuration details such as API keys, webhook URLs, and payment processing parameters. Unauthorized modification of these settings could enable attackers to redirect payments to attacker-controlled accounts, disrupt payment processing, or cause denial of service to legitimate transactions. The vulnerability arises due to the absence of proper authorization checks on the REST endpoint, violating the principle of least privilege. Although no public exploits are currently known, the simplicity of exploiting an unauthenticated endpoint makes this vulnerability a significant risk. The affected versions are all versions before 2.5.1, and no patch links are currently provided, indicating that users must monitor for updates or implement temporary mitigations. The vulnerability was reserved in early November 2025 and published in December 2025. The plugin is used primarily by WordPress sites that handle booking and payment functionalities, making it a target for financially motivated attackers. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, the impact of this vulnerability can be substantial, especially for businesses relying on the Bookit plugin for e-commerce, booking, or subscription services. Unauthorized modification of Stripe payment options can lead to financial fraud, including diversion of payments to attacker-controlled accounts, resulting in direct monetary loss. Additionally, disruption of payment processing can damage customer trust and cause operational downtime. The integrity of financial transactions is compromised, and confidentiality of payment configuration data is at risk. Organizations in sectors such as hospitality, event management, and online services that use Bookit are particularly vulnerable. The public accessibility of the vulnerable endpoint means attackers can exploit this remotely without any authentication or user interaction, increasing the likelihood of exploitation. The absence of known exploits currently provides a window for mitigation, but the risk remains high due to the ease of exploitation and potential financial consequences.

To mitigate this vulnerability, affected organizations should prioritize updating the Bookit plugin to version 2.5.1 or later as soon as it becomes available, as this will likely include the necessary authorization checks. Until an official patch is released, organizations can implement temporary mitigations such as restricting access to the vulnerable REST endpoint via web application firewalls (WAFs) or server-level access controls, limiting access to trusted IP addresses only. Additionally, monitoring and auditing changes to Stripe payment configurations can help detect unauthorized modifications early. Organizations should also review and rotate Stripe API keys and credentials if compromise is suspected. Employing strict role-based access controls within WordPress and disabling unnecessary REST API endpoints can reduce the attack surface. Regular backups of plugin configurations and payment settings will aid in recovery if unauthorized changes occur. Finally, raising awareness among IT and security teams about this vulnerability will ensure timely response and remediation.