The vulnerability identified as CVE-2025-13318 affects the Booking Calendar Contact Form plugin for WordPress, developed by codepeople. It is classified under CWE-862 (Missing Authorization) and impacts all versions up to and including 1.2.60. The root cause is the absence of proper authorization checks and payment verification within the function dex_bccf_check_IPN_verification. This function is responsible for processing Instant Payment Notification (IPN) callbacks, which confirm bookings after payment. Due to missing validation, an unauthenticated attacker can craft requests with the 'dex_bccf_ipn' parameter to arbitrarily confirm bookings without completing payment. This bypass undermines the integrity of the booking and payment process, potentially allowing attackers to fraudulently confirm bookings and cause financial loss or operational disruption. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. However, it does not expose sensitive data (confidentiality) nor does it cause denial of service (availability). No patches or fixes have been released at the time of disclosure, and no known exploits have been observed in the wild. The CVSS v3.1 base score is 5.3, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N).

For European organizations, especially those in the hospitality, tourism, and service sectors relying on WordPress-based booking systems, this vulnerability poses a risk of fraudulent booking confirmations without payment. This can lead to financial losses, revenue leakage, and potential reputational damage if customers or partners are affected by unauthorized bookings. The integrity of booking data is compromised, which may disrupt operational workflows and cause administrative overhead to identify and rectify fraudulent entries. While confidentiality and availability are not directly impacted, the trustworthiness of the booking system is undermined. Organizations with high volumes of online bookings are at greater risk of exploitation. Additionally, attackers could leverage this flaw to create false booking records, complicating capacity planning and resource allocation. The lack of authentication and user interaction requirements makes exploitation easier, increasing the likelihood of automated or large-scale abuse.

European organizations should immediately audit their WordPress sites to identify installations of the Booking Calendar Contact Form plugin, particularly versions up to 1.2.60. Until an official patch is released, organizations should consider the following mitigations: 1) Restrict access to the IPN verification endpoint (dex_bccf_ipn) via web application firewalls (WAFs) or IP whitelisting to trusted payment gateway IP addresses. 2) Implement additional server-side authorization checks to validate the authenticity of booking confirmations, such as verifying payment status directly with payment providers before confirming bookings. 3) Monitor booking logs for unusual patterns indicative of fraudulent confirmations. 4) Disable or remove the vulnerable plugin if it is not essential or replace it with alternative booking solutions with verified security. 5) Stay alert for updates from the vendor or WordPress plugin repository and apply patches promptly once available. 6) Educate administrative staff to recognize and respond to suspicious booking activity. These steps go beyond generic advice by focusing on access control, validation, and monitoring specific to the vulnerability's exploitation vector.