CVE-2025-15473

The Timetics WordPress plugin, versions prior to 1.0.52, contains a missing authorization vulnerability in a REST endpoint. This flaw allows unauthenticated users to arbitrarily change the payment status and post status of the 'timetics-booking' custom post type [1]. The root cause is the absence of proper capability checks or nonce verification on the affected endpoint.

Exploitation requires no authentication or special privileges; an attacker can send crafted HTTP requests to the vulnerable REST endpoint. The attack surface is the WordPress REST API, which is typically accessible over the network. No prior knowledge of the site is needed beyond the endpoint URL [1].

Successful exploitation enables an attacker to alter payment statuses (e.g., marking unpaid bookings as paid) and post statuses (e.g., changing from pending to completed). This could lead to fraudulent transactions, data integrity issues, and bypassing of payment workflows. The impact is limited to the booking and payment status fields, but it undermines the trustworthiness of the booking system [1].

The vulnerability has been fixed in version 1.0.52 of the Timetics plugin. Users are strongly advised to update to the latest version to mitigate the risk. No workarounds are documented, and the plugin vendor has released a patch [1].