The vulnerability identified as CVE-2025-13318 affects the Booking Calendar Contact Form plugin for WordPress, developed by codepeople. It is classified under CWE-862 (Missing Authorization) and impacts all versions up to and including 1.2.60. The root cause is the absence of proper authorization checks and payment verification within the dex_bccf_check_IPN_verification function. This function is responsible for processing Instant Payment Notification (IPN) callbacks, which confirm bookings after payment. Due to the missing authorization, an unauthenticated attacker can craft requests with the 'dex_bccf_ipn' parameter to arbitrarily confirm bookings without completing payment. This bypass undermines the integrity of the booking process, allowing fraudulent confirmations that could lead to financial loss or service abuse. The vulnerability is remotely exploitable without requiring any authentication or user interaction, increasing its risk profile. However, it does not affect confidentiality or availability of the system. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The CVSS v3.1 base score is 5.3, indicating a medium severity level primarily due to the impact on integrity and ease of exploitation. The vulnerability is particularly relevant to organizations using WordPress sites with this plugin, especially in sectors dependent on accurate booking and payment processing.

For European organizations, this vulnerability poses a risk primarily to the integrity of booking and payment systems. Hospitality, tourism, event management, and service providers using the affected plugin may experience fraudulent bookings confirmed without payment, leading to direct financial losses and potential reputational damage. While the vulnerability does not compromise data confidentiality or system availability, the ability to bypass payment verification can disrupt business operations and customer trust. Organizations relying on automated booking confirmations may face challenges in detecting and mitigating fraudulent transactions. The risk is heightened in sectors with high transaction volumes or where bookings are critical to revenue. Additionally, regulatory compliance related to payment processing and consumer protection could be impacted if fraudulent activities are not adequately controlled.

1. Monitor for vendor updates and apply patches promptly once released to address the missing authorization checks. 2. In the absence of an official patch, implement custom authorization validation in the dex_bccf_check_IPN_verification function to ensure only legitimate IPN callbacks from trusted payment providers are accepted. 3. Restrict access to IPN endpoints by IP whitelisting or firewall rules to allow only known payment gateway IP addresses. 4. Enable detailed logging and monitoring of booking confirmations and payment verifications to detect anomalies or suspicious activity. 5. Conduct regular audits of booking records to identify and reconcile any unauthorized confirmations. 6. Consider temporarily disabling the affected plugin or replacing it with alternative booking solutions until a secure version is available. 7. Educate staff responsible for website and booking system management about the vulnerability and signs of exploitation. 8. Review and strengthen overall WordPress security posture, including limiting plugin usage and ensuring minimal privileges for plugin operations.