codepeople Appointment Booking Calendar Plugin up to 1.3.96 on WordPress cpabc_ipncheck authorization

Summaryinfo

A vulnerability was found in codepeople Appointment Booking Calendar Plugin up to 1.3.96 on WordPress and classified as critical. The impacted element is an unknown function. Executing a manipulation of the argument cpabc_ipncheck can lead to authorization. The identification of this vulnerability is CVE-2025-13317. The attack may be launched remotely. There is no exploit available.

Detailsinfo

A vulnerability has been found in codepeople Appointment Booking Calendar Plugin up to 1.3.96 on WordPress and classified as critical. This vulnerability affects an unknown code. The manipulation of the argument cpabc_ipncheck with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect integrity, and availability. CVE summarizes:

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations.

The advisory is available at wordfence.com. This vulnerability was named CVE-2025-13317. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 11/22/2025).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-198537). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Appointment Software

Vendor

• codepeople

Name

• Appointment Booking Calendar Plugin

Version

• 1.3.0
• 1.3.1
• 1.3.2
• 1.3.3
• 1.3.4
• 1.3.5
• 1.3.6
• 1.3.7
• 1.3.8
• 1.3.9
• 1.3.10
• 1.3.11
• 1.3.12
• 1.3.13
• 1.3.14
• 1.3.15
• 1.3.16
• 1.3.17
• 1.3.18
• 1.3.19
• 1.3.20
• 1.3.21
• 1.3.22
• 1.3.23
• 1.3.24
• 1.3.25
• 1.3.26
• 1.3.27
• 1.3.28
• 1.3.29
• 1.3.30
• 1.3.31
• 1.3.32
• 1.3.33
• 1.3.34
• 1.3.35
• 1.3.36
• 1.3.37
• 1.3.38
• 1.3.39
• 1.3.40
• 1.3.41
• 1.3.42
• 1.3.43
• 1.3.44
• 1.3.45
• 1.3.46
• 1.3.47
• 1.3.48
• 1.3.49
• 1.3.50
• 1.3.51
• 1.3.52
• 1.3.53
• 1.3.54
• 1.3.55
• 1.3.56
• 1.3.57
• 1.3.58
• 1.3.59
• 1.3.60
• 1.3.61
• 1.3.62
• 1.3.63
• 1.3.64
• 1.3.65
• 1.3.66
• 1.3.67
• 1.3.68
• 1.3.69
• 1.3.70
• 1.3.71
• 1.3.72
• 1.3.73
• 1.3.74
• 1.3.75
• 1.3.76
• 1.3.77
• 1.3.78
• 1.3.79
• 1.3.80
• 1.3.81
• 1.3.82
• 1.3.83
• 1.3.84
• 1.3.85
• 1.3.86
• 1.3.87
• 1.3.88
• 1.3.89
• 1.3.90
• 1.3.91
• 1.3.92
• 1.3.93
• 1.3.94
• 1.3.95
• 1.3.96

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion