cnvd - cnvd-2025-29507

CNVD-2025-29507

Vulnerability from cnvd - Published: 2025-11-28

Title

WordPress Booking Calendar Contact Form Plugin缺少授权漏洞

Description

WordPress Booking Calendar Contact Form Plugin是一款用于创建带预订日历功能的联系表单工具，支持日期选择、价格配置、PayPal支付集成等，适用于酒店、活动预约等场景。 WordPress Booking Calendar Contact Form Plugin存在缺少授权漏洞，该漏洞源于dex_bccf_check_IPN_verification函数缺少授权检查和支付验证，攻击者可利用该漏洞导致未授权预订确认。

Severity

中

Patch Name

WordPress Booking Calendar Contact Form Plugin缺少授权漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网: https://wordpress.org/plugins/booking-calendar-contact-form/

Reference

https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409

Impacted products

Name
WordPress1 Booking Calendar Contact Form Plugin <=1.2.60

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-13318",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-13318"
    }
  },
  "description": "WordPress Booking Calendar Contact Form Plugin\u662f\u4e00\u6b3e\u7528\u4e8e\u521b\u5efa\u5e26\u9884\u8ba2\u65e5\u5386\u529f\u80fd\u7684\u8054\u7cfb\u8868\u5355\u5de5\u5177\uff0c\u652f\u6301\u65e5\u671f\u9009\u62e9\u3001\u4ef7\u683c\u914d\u7f6e\u3001PayPal\u652f\u4ed8\u96c6\u6210\u7b49\uff0c\u9002\u7528\u4e8e\u9152\u5e97\u3001\u6d3b\u52a8\u9884\u7ea6\u7b49\u573a\u666f\u3002\n\nWordPress Booking Calendar Contact Form Plugin\u5b58\u5728\u7f3a\u5c11\u6388\u6743\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8edex_bccf_check_IPN_verification\u51fd\u6570\u7f3a\u5c11\u6388\u6743\u68c0\u67e5\u548c\u652f\u4ed8\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u672a\u6388\u6743\u9884\u8ba2\u786e\u8ba4\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://wordpress.org/plugins/booking-calendar-contact-form/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-29507",
  "openTime": "2025-11-28",
  "patchDescription": "WordPress Booking Calendar Contact Form Plugin\u662f\u4e00\u6b3e\u7528\u4e8e\u521b\u5efa\u5e26\u9884\u8ba2\u65e5\u5386\u529f\u80fd\u7684\u8054\u7cfb\u8868\u5355\u5de5\u5177\uff0c\u652f\u6301\u65e5\u671f\u9009\u62e9\u3001\u4ef7\u683c\u914d\u7f6e\u3001PayPal\u652f\u4ed8\u96c6\u6210\u7b49\uff0c\u9002\u7528\u4e8e\u9152\u5e97\u3001\u6d3b\u52a8\u9884\u7ea6\u7b49\u573a\u666f\u3002\r\n\r\nWordPress Booking Calendar Contact Form Plugin\u5b58\u5728\u7f3a\u5c11\u6388\u6743\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8edex_bccf_check_IPN_verification\u51fd\u6570\u7f3a\u5c11\u6388\u6743\u68c0\u67e5\u548c\u652f\u4ed8\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u672a\u6388\u6743\u9884\u8ba2\u786e\u8ba4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress Booking Calendar Contact Form Plugin\u7f3a\u5c11\u6388\u6743\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress1 Booking Calendar Contact Form Plugin \u003c=1.2.60"
  },
  "referenceLink": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409",
  "serverity": "\u4e2d",
  "submitTime": "2025-11-25",
  "title": "WordPress Booking Calendar Contact Form Plugin\u7f3a\u5c11\u6388\u6743\u6f0f\u6d1e"
}

CVE-2025-13318 (GCVE-0-2025-13318)

Vulnerability from cvelistv5 – Published: 2025-11-22 08:30 – Updated: 2025-11-24 19:35

Summary

The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-862 - Missing Authorization

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://plugins.trac.wordpress.org/browser/bookin…
	https://plugins.trac.wordpress.org/browser/bookin…
	https://plugins.trac.wordpress.org/changeset?sfp_…

Impacted products

	Vendor	Product	Version
	codepeople	Booking Calendar Contact Form	Affected: * , ≤ 1.2.60 (semver)

Credits

Md. Moniruzzaman Prodhan

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13318",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-24T19:34:56.104102Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-24T19:35:04.659Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Booking Calendar Contact Form",
          "vendor": "codepeople",
          "versions": [
            {
              "lessThanOrEqual": "1.2.60",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Md. Moniruzzaman Prodhan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the \u0027dex_bccf_ipn\u0027 parameter."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-22T08:30:29.623Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3399906%40booking-calendar-contact-form\u0026new=3399906%40booking-calendar-contact-form\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-19T15:28:00.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-11-21T19:35:42.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Booking Calendar Contact Form \u003c= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via \u0027dex_bccf_ipn\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13318",
    "datePublished": "2025-11-22T08:30:29.623Z",
    "dateReserved": "2025-11-17T15:18:42.968Z",
    "dateUpdated": "2025-11-24T19:35:04.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-29507

CVE-2025-13318 (GCVE-0-2025-13318)

Tags

Sightings

Nomenclature