Exploitation Summary
CVE-2025-12841 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.
Nuclei Templates (1)
WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update
HIGHVERIFIEDby 0x_Akoko
References (1)
Core 1
Core References
Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/60cb3d5f-1aa5-4858-ab84-07fe7c023fdd/
Scores
CVSS v3
5.3
EPSS
0.0113
EPSS Percentile
78.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (1)
Unknown/Bookit
< 2.5.1
Published
Dec 12, 2025
Tracked Since
Feb 18, 2026