The vulnerability identified as CVE-2025-13318 affects the Booking Calendar Contact Form plugin for WordPress, specifically all versions up to and including 1.2.60. The root cause is a missing authorization check in the dex_bccf_check_IPN_verification function, which is responsible for verifying payment notifications (IPN). This function fails to authenticate the source or verify payment status properly, allowing attackers to manipulate the 'dex_bccf_ipn' parameter to confirm bookings without completing payment. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any unauthenticated attacker. The impact is primarily on the integrity of booking data, as attackers can create fraudulent confirmed bookings, potentially leading to financial loss or operational disruption for businesses relying on the plugin for booking management. The vulnerability does not affect confidentiality or availability directly. No patches or fixes have been published at the time of disclosure, and no known exploits have been reported in the wild. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and the integrity impact. The vulnerability is classified under CWE-862 (Missing Authorization).

Organizations using the Booking Calendar Contact Form plugin are at risk of unauthorized booking confirmations without payment, which can lead to financial losses, operational disruptions, and reputational damage. Attackers can exploit this flaw to bypass payment requirements, potentially causing revenue loss for businesses that rely on the plugin for managing paid bookings or reservations. This may also result in overbooking or misuse of resources, impacting service availability indirectly. Since the vulnerability does not compromise confidentiality or availability directly, the primary concern is data integrity and business process trustworthiness. E-commerce sites, event organizers, and service providers using this plugin are particularly vulnerable. The lack of authentication requirements and ease of exploitation increase the likelihood of automated attacks or mass exploitation attempts once public exploit code becomes available.

Until an official patch is released, organizations should implement the following mitigations: 1) Disable or restrict access to the Booking Calendar Contact Form plugin, especially the IPN verification endpoint, to trusted IP addresses or internal networks only. 2) Implement web application firewall (WAF) rules to detect and block suspicious requests containing the 'dex_bccf_ipn' parameter or anomalous booking confirmation attempts. 3) Monitor booking logs for unusual patterns such as sudden spikes in confirmed bookings without corresponding payments. 4) If possible, customize the plugin code to add authorization checks and payment verification before confirming bookings. 5) Educate staff to verify bookings manually if suspicious activity is detected. 6) Keep WordPress and all plugins updated and subscribe to vendor security advisories for timely patch deployment once available. 7) Consider alternative booking plugins with stronger security postures if immediate mitigation is not feasible.