CVE-2025-12573
Description
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Bookingor WordPress plugin through 1.0.12 fails to authorize AJAX actions, allowing subscribers to delete plugin data.
The Bookingor WordPress plugin through version 1.0.12 contains a missing authorization vulnerability in its AJAX actions. The plugin exposes authenticated AJAX endpoints without performing capability or nonce checks, meaning any authenticated user can trigger these actions regardless of their role. This flaw is classified under CWE-862 (Missing Authorization) [1].
Exploitation requires only a valid WordPress user account, such as a subscriber. The attacker can send crafted AJAX requests to delete plugin data. Since nonce verification is also absent, cross-site request forgery (CSRF) protections are bypassed, though the attack still requires authentication [1].
The impact allows low-privileged users to delete arbitrary data managed by the Bookingor plugin, potentially causing data loss and disrupting functionality. No sensitive data exposure is mentioned, but deletion can affect integrity.
As of the disclosure date, no fix is available for this vulnerability. The plugin is marked with "No known fix" [1]. Users are advised to remove or replace the plugin if data integrity is critical.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.