The Timetics WordPress plugin prior to version 1.0.52 contains a missing authorization vulnerability (CWE-862) in one of its REST API endpoints. This flaw allows unauthenticated attackers to arbitrarily change the payment status and post status of bookings represented by the 'timetics-booking' custom post type. The vulnerability arises because the REST endpoint does not enforce proper authorization checks, permitting any user to send crafted requests that alter booking data without authentication or privileges. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), and impacts integrity (I:L) without affecting confidentiality or availability. The scope remains unchanged (S:U). Although no known exploits have been reported in the wild, the vulnerability could be leveraged to manipulate booking records, potentially enabling fraudulent payment status changes or unauthorized booking modifications. This could undermine trust in booking systems and cause operational disruptions for businesses relying on Timetics for appointment or event management. The vulnerability was reserved on January 6, 2026, and published on March 12, 2026. No official patches or updates are listed yet, but upgrading to version 1.0.52 or later is expected to resolve the issue. The vulnerability was assigned by WPScan, a reputable WordPress security source.

The primary impact of CVE-2025-15473 is on data integrity within affected Timetics plugin installations. Unauthorized users can alter booking payment statuses and post statuses, potentially leading to fraudulent transactions, incorrect booking confirmations, or cancellations. This can result in financial losses, reputational damage, and operational disruptions for organizations relying on Timetics for managing bookings or appointments. While confidentiality and availability are not directly impacted, the integrity compromise may indirectly affect customer trust and business processes. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, especially for publicly accessible WordPress sites using vulnerable Timetics versions. The lack of known exploits in the wild reduces immediate risk but does not preclude future attacks. Organizations with high volumes of bookings or financial transactions are at greater risk of significant impact.

To mitigate this vulnerability, organizations should promptly update the Timetics plugin to version 1.0.52 or later once it becomes available, as this version is expected to include proper authorization checks on the REST endpoint. Until the update is applied, administrators should consider restricting access to the REST API endpoints related to Timetics using web application firewalls (WAFs) or server-level access controls to limit exposure to unauthenticated users. Additionally, monitoring REST API logs for unusual or unauthorized requests targeting booking status changes can help detect exploitation attempts. Implementing least privilege principles for WordPress users and regularly auditing plugin permissions can reduce risk. Organizations should also maintain regular backups of booking data to enable recovery from unauthorized modifications. Finally, staying informed through official Timetics and WordPress security advisories is critical to timely response.