What is CVE-2025-5919?

CVE-2025-5919 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-5919?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-5919.

How can I protect against CVE-2025-5919?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-5919.

REPORT / 01

Analysis Report · Folder Analysis cache/timetics_1.0.36 → cache/timetics_1.0.37 — CVE-2025-5919

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-5919 NVD

AI-Generated Analysis

I've completed a comprehensive security analysis of CVE-2025-5919. The analysis covers:

**Key Findings:**
- **Two critical flaws**: REST API endpoints with no authorization checks + frontend queries without visibility filtering
- **Impact**: Unauthenticated attackers can read and modify all appointment data
- **No auth required**: Unlike many vulnerabilities, this requires zero valid credentials
- **Data at risk**: Customer names, emails, meeting schedules, payment details, and booking metadata

**Technical Fixes Implemented:**
1. Nonce validation (`wp_verify_nonce()`) on REST API endpoints
2. Capability checks (`current_user_can('manage_options')`) on frontend queries
3. Role-based filtering—admins see all appointments, regular users see only 'enabled' ones

**Exploitation is straightforward**: Direct REST API calls return all data without authentication requirements, making this exploitable by any internet user.

The analysis includes actionable mitigation strategies for unpatched systems, detection methods through log analysis and database monitoring, and best practices to prevent similar authorization flaws in the future.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

core/bookings/api-booking.php AI: 1 vulnerabilities 1 true positive CVE-2025-5919

--- cache/timetics_1.0.36/core/bookings/api-booking.php	2026-01-08 00:33:04.182470820 +0000+++ cache/timetics_1.0.37/core/bookings/api-booking.php	2026-01-08 00:35:42.852171654 +0000@@ -95,16 +95,12 @@                 [                     'methods'             => \WP_REST_Server::READABLE,                     'callback'            => [$this, 'get_item'],-                    'permission_callback' => function () {-                        return true;-                    },+                    'permission_callback' => [$this, 'get_item_permission_callback'],                 ],                 [                     'methods'             => \WP_REST_Server::EDITABLE,                     'callback'            => [$this, 'update_item'],-                    'permission_callback' => function () {-                        return true;-                    },+                    'permission_callback' => [$this, 'update_item_permission_callback'],                 ],                 [                     'methods'             => \WP_REST_Server::DELETABLE,@@ -1237,4 +1233,30 @@          return 0;     }++    /**+     * Update item permission callback+     * @param WP_Rest_Request $request+     * @return bool+     */+    public function update_item_permission_callback($request){+        $nonce = $request->get_header('X-WP-Nonce');+        if (wp_verify_nonce($nonce, 'wp_rest')) {+            return true;+        }+        return false;+    }++    /**+     * Get item permission callback+     * @param WP_Rest_Request $request+     * @return bool+     */+    public function get_item_permission_callback($request){+        $nonce = $request->get_header('X-WP-Nonce');+        if (wp_verify_nonce($nonce, 'wp_rest')) {+            return true;+        }+        return false;+    } }

AI Analysis

I'll analyze this code diff for security vulnerabilities.

**Vulnerability Existed: yes**
TRUE POSITIVE

**Cross-Site Request Forgery (CSRF) - CWE-352 - core/bookings/api-booking.php Lines 98-109 and 1236-1260**

**Old Code:**
```php
'permission_callback' => function () {
    return true;
},
```

**Fixed Code:**
```php
'permission_callback' => [$this, 'get_item_permission_callback'],
'permission_callback' => [$this, 'update_item_permission_callback'],

public function update_item_permission_callback($request){
    $nonce = $request->get_header('X-WP-Nonce');
    if (wp_verify_nonce($nonce, 'wp_rest')) {
        return true;
    }
    return false;
}

public function get_item_permission_callback($request){
    $nonce = $request->get_header('X-WP-Nonce');
    if (wp_verify_nonce($nonce, 'wp_rest')) {
        return true;
    }
    return false;
}
```

**Explanation:**

The original code had a critical security vulnerability. The REST API endpoints for GET and UPDATE operations had permission callbacks that unconditionally returned `true`, allowing any unauthenticated or unauthorized user to access and modify booking data without proper authorization checks.

The fix implements proper CSRF protection by:
1. Extracting the WordPress nonce from the request header (`X-WP-Nonce`)
2. Validating the nonce using `wp_verify_nonce()` with the `wp_rest` action
3. Only returning `true` if the nonce is valid, denying access otherwise

This prevents CSRF attacks by ensuring that state-changing operations (EDITABLE methods) and sensitive data access (READABLE methods) require a valid WordPress REST API nonce token. Without this validation, attackers could craft malicious requests to manipulate booking data on behalf of authenticated users.

CVE Analysis Results:

CVE-2025-5919: Yes

View CVE Description

The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.

core/frontend/templates/meeting-list.php AI: 1 vulnerabilities 1 true positive CVE-2025-5919

--- cache/timetics_1.0.36/core/frontend/templates/meeting-list.php	2026-01-08 00:33:04.182470820 +0000+++ cache/timetics_1.0.37/core/frontend/templates/meeting-list.php	2026-01-08 00:35:42.896174313 +0000@@ -3,9 +3,15 @@ use Timetics\Core\Appointments\Appointment as Appointment; use Timetics\Core\Staffs\Staff; -$meetings = Appointment::all([+$args = [     'posts_per_page' => $limit-]);+];++if ( ! current_user_can( 'manage_options' ) ) {+    $args['visibility'] = 'enabled';+}++$meetings = Appointment::all($args);  $staffs = Staff::all(); $terms = get_terms( [

AI Analysis

I'll analyze this code diff for security vulnerabilities.

```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control / Missing Authorization Check - CWE-639 - core/frontend/templates/meeting-list.php - Lines 6-9 (Old Code)
[Old Code]
$meetings = Appointment::all([
    'posts_per_page' => $limit
]);

[Fixed Code]
$args = [
    'posts_per_page' => $limit
];

if ( ! current_user_can( 'manage_options' ) ) {
    $args['visibility'] = 'enabled';
}

$meetings = Appointment::all($args);

Explanation:
The original code retrieved ALL appointments without any authorization checks or visibility filters. This allowed any user (including non-authenticated or low-privilege users) to access all appointments regardless of their permission level. The fix adds a capability check using `current_user_can('manage_options')` to filter the query results. Non-admin users now only see appointments with 'visibility' set to 'enabled', implementing proper access control. This prevents unauthorized disclosure of sensitive meeting/appointment information to users who should not have access to all appointments.
```

CVE Analysis Results:

CVE-2025-5919: Yes

View CVE Description

The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.

Showing 1 to 2 of 2 results