Unauthenticated users can change booking status in Timetics WordPress plugin

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Unauthenticated users can change booking status in Timetics WordPress plugin

CVE-2025-15473

Summary

The Timetics WordPress plugin is not secure, allowing anyone to change booking payments and status without permission. This means unauthorized users can manipulate bookings, which could lead to financial losses or other issues. Update to version 1.0.52 or later to fix this issue.

Original title

The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the ...

Original description

The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type.

Vulnerability type

CWE-862 Missing Authorization

https://wpscan.com/vulnerability/f355e4ac-7aa6-4c5b-b1e5-b37937156583/

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026