Primary

Context

Booking Calendar | Appointment Booking | Bookit Missing Authorization Vulnerability in Stripe Connection

Vulnerability

A vulnerability exists in the Booking Calendar | Appointment Booking | Bookit plugin for WordPress, in all versions through 2.5.0. The issue arises from a missing capability check on the REST API endpoint '/wp-json/bookit/v1/commerce/stripe/return'. This flaw allows unauthorized users to connect their Stripe accounts and receive payments, unauthorized modification of data.

Impact

Exploitation of this vulnerability allows unauthenticated users to connect their Stripe accounts through the WordPress site, potentially leading to unauthorized receipt of payments.

Remediation

Users are advised to update the Booking Calendar | Appointment Booking | Bookit plugin to version 2.5.1 or a newer patched version.

Added: Nov 12, 2025, 8:20 AM

Updated: Nov 12, 2025, 8:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Booking Calendar | Appointment Booking | Bookit Missing Authorization Vulnerability in Stripe Connection

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating