CVE-2025-12842: CWE-20 Improper Input Validation in timeslotplugins Time Slot – Booking and Appointment System
The Booking Plugin for WordPress Appointments – Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution.
AI Analysis
Technical Summary
The Time Slot – Booking and Appointment System plugin for WordPress contains an improper input validation vulnerability (CWE-20) in the tslot_appt_email AJAX action. This flaw permits unauthenticated attackers to send emails with attacker-controlled content to arbitrary recipients, potentially enabling abuse of the site for phishing or spam. The vulnerability affects versions up to and including 1.4.7. No official patch or remediation has been confirmed as of the published date.
Potential Impact
The vulnerability allows attackers to send unauthorized emails from the affected WordPress site without authentication. This can be leveraged to conduct phishing attacks or distribute spam, potentially damaging the reputation of the affected site and misleading recipients. There is no direct impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the vulnerable AJAX action to prevent unauthorized email sending.
CVE-2025-12842: CWE-20 Improper Input Validation in timeslotplugins Time Slot – Booking and Appointment System
Description
The Booking Plugin for WordPress Appointments – Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Time Slot – Booking and Appointment System plugin for WordPress contains an improper input validation vulnerability (CWE-20) in the tslot_appt_email AJAX action. This flaw permits unauthenticated attackers to send emails with attacker-controlled content to arbitrary recipients, potentially enabling abuse of the site for phishing or spam. The vulnerability affects versions up to and including 1.4.7. No official patch or remediation has been confirmed as of the published date.
Potential Impact
The vulnerability allows attackers to send unauthorized emails from the affected WordPress site without authentication. This can be leveraged to conduct phishing attacks or distribute spam, potentially damaging the reputation of the affected site and misleading recipients. There is no direct impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider disabling or restricting access to the vulnerable AJAX action to prevent unauthorized email sending.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-06T20:19:03.726Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 691d6897a27e6d5e91bc16e1
Added to database: 11/19/2025, 6:49:59 AM
Last enriched: 4/9/2026, 9:02:19 PM
Last updated: 5/10/2026, 9:21:42 AM
Views: 210
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.