cleantalk
Vulnerabilities and Security Researches

Appointment Booking Calendar, CVE-2025-13317

CVE, Research URL

CVE-2025-13317

Home page URL

Security reports for Appointment Booking Calendar

Application

Appointment Booking Calendar

Published on
Nov 22, 2025
Research Description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations.
Affected versions
max 1.3.97.
Status
vulnerable
Previous vulnerability researches
Appointment Booking Calendar (CVE-2020-9372) , Jun 07, 2024
Appointment Booking Calendar (CVE-2025-46247) , Apr 23, 2025
Appointment Booking Calendar (CVE-2025-46241) , Jun 14, 2026
Appointment Booking Calendar (CVE-2025-13317) , Dec 10, 2025
Appointment Booking Calendar (CVE-2022-43482) , Jun 07, 2024
New vulnerability
FAQ Manager For Divi, Gutenberg Block & Shortcode (CVE-2023-33999) , Jun 14, 2026
TablePress – Tables in WordPress made easy (CVE-2023-33999) , Jun 14, 2026
Docket Cache – Object Cache Accelerator (CVE-2026-22492) , Jun 14, 2026
Advanced Classifieds & Directory Pro (CVE-2023-33999) , Jun 14, 2026
Display Eventbrite Events (CVE-2023-33999) , Jun 14, 2026