CVE-2025-13317 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Appointment Booking Calendar plugin for WordPress, developed by codepeople. This vulnerability affects all versions up to and including 1.3.96. The root cause is the exposure of an unauthenticated endpoint named cpabc_appointments_check_IPN_verification, which processes booking confirmations based on payment notifications. The endpoint fails to verify the origin or authenticity of these notifications and does not enforce any authorization checks. Consequently, an unauthenticated attacker can craft and send malicious requests with the cpabc_ipncheck parameter to confirm arbitrary bookings. These unauthorized bookings are inserted into the live calendar, and the system triggers notification emails to administrators and customers, potentially causing confusion and operational disruption. The vulnerability impacts the integrity of booking data but does not affect confidentiality or availability. The CVSS v3.1 score is 5.3 (medium severity), reflecting the network attack vector, no privileges required, and no user interaction needed. There are no known exploits in the wild at the time of publication. The vulnerability is significant for organizations relying on this plugin for appointment management, as it can be used to manipulate booking records and disrupt business operations.

For European organizations using the Appointment Booking Calendar plugin, this vulnerability can lead to unauthorized insertion of fraudulent bookings into their calendars. This undermines the integrity of appointment data, potentially causing scheduling conflicts, resource misallocation, and loss of customer trust. The automatic triggering of notification emails can flood administrators and clients with false information, increasing operational overhead and confusion. While confidentiality and availability are not directly impacted, the disruption to business processes and potential reputational damage can be significant, especially for service providers relying heavily on accurate appointment scheduling. Small and medium enterprises (SMEs) in sectors such as healthcare, legal services, education, and personal services that use WordPress-based booking systems are particularly at risk. The absence of authentication requirements makes exploitation straightforward, increasing the likelihood of opportunistic attacks. Although no exploits are currently known in the wild, the ease of exploitation and potential operational impact warrant prompt attention.

1. Immediate mitigation involves updating the Appointment Booking Calendar plugin to a patched version once released by the vendor. Since no patch links are currently available, organizations should monitor vendor advisories closely. 2. In the interim, restrict access to the cpabc_appointments_check_IPN_verification endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests or limit access to trusted IP addresses. 3. Implement server-side validation to verify the authenticity of payment notifications, such as validating digital signatures or using secure callbacks from payment processors. 4. Disable or remove the vulnerable endpoint if it is not essential for business operations. 5. Monitor booking logs and notification emails for unusual activity indicative of exploitation attempts. 6. Educate administrative staff to recognize and respond to suspicious booking confirmations. 7. Consider deploying anomaly detection mechanisms to flag irregular booking patterns. 8. Review and harden WordPress security configurations, including limiting plugin permissions and enforcing least privilege principles.