CVE-2025-13317

Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar versions prior to 1.3.97

Description The Appointment Booking Calendar plugin for WordPress is affected by a missing authorization issue. The plugin exposes an unauthenticated booking processing endpoint, /cpabc appointments check IPN verification, which does not verify the origin or authenticity of attacker-supplied payment notifications and lacks proper authorization checks. This allows unauthenticated attackers to confirm bookings and insert them into the live calendar by manipulating the cpabc ipncheck parameter, potentially triggering administrative and customer notification emails and disrupting operations.

Recommendations Update Appointment Booking Calendar to version 1.3.97 or later.