CVE-2025-12841 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Bookit WordPress plugin prior to version 2.5.1. The issue arises because a REST API endpoint responsible for updating Stripe payment options is publicly accessible without any authentication or authorization checks. This means an unauthenticated attacker can send crafted HTTP requests to modify the payment configuration parameters used by the plugin, potentially redirecting payments or altering payment processing behavior. The vulnerability does not expose confidential data directly nor does it cause denial of service, but it compromises the integrity of payment settings, which can lead to financial fraud or misrouting of funds. The CVSS v3.1 base score is 5.3 (medium severity) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to integrity. No public exploits or active exploitation have been reported yet. The vulnerability was reserved in early November 2025 and published in December 2025. The lack of patch links suggests that a fixed version may not yet be widely available, emphasizing the need for immediate attention by administrators. The plugin is commonly used in WordPress sites for booking and payment management, making this a relevant threat for organizations relying on Stripe payments via Bookit.

For European organizations, this vulnerability poses a risk primarily to the integrity of their payment processing workflows. Unauthorized modification of Stripe payment options could lead to financial losses through redirected payments or fraudulent transactions. While confidentiality and availability are not directly impacted, the trustworthiness of payment data and transaction processing is compromised. This can result in reputational damage, regulatory scrutiny under GDPR due to potential financial fraud, and operational disruption if payment processing is altered or disabled. Organizations in sectors such as hospitality, event management, and e-commerce that use Bookit for booking and payment handling are particularly at risk. The medium severity score reflects a moderate but tangible threat that should not be ignored, especially given the critical nature of payment systems. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

1. Immediately monitor and audit all changes to Stripe payment configurations within the Bookit plugin to detect unauthorized modifications. 2. Restrict access to the vulnerable REST endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests targeting the plugin’s API paths. 3. Apply principle of least privilege by limiting administrative access to WordPress backend and payment settings only to trusted personnel. 4. Once available, promptly update the Bookit plugin to version 2.5.1 or later where the authorization check is implemented. 5. Consider temporarily disabling the Bookit plugin or the Stripe payment integration if patching is delayed and risk is unacceptable. 6. Employ network segmentation and monitoring to detect anomalous API calls or traffic patterns indicative of exploitation attempts. 7. Educate site administrators about this vulnerability and encourage vigilance regarding unexpected payment configuration changes. 8. Review and tighten Stripe account security, including API keys and webhook configurations, to minimize impact if plugin settings are altered.