WPBookit CVE-2025-26910
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit allows Stored XSS. This issue affects WPBookit: from n/a through 1.0.1.
AnalysisAI
Stored Cross-Site Scripting in WPBookit WordPress plugin through version 1.0.1 can be achieved via CSRF attack vector. Attackers trick authenticated administrators into executing malicious requests that inject persistent JavaScript into the booking management interface, potentially leading to session hijacking, privilege escalation, or further site compromise. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, though the CVSS:3.1 score of 7.1 reflects the Changed Scope and combined impact of both CSRF and XSS vulnerabilities affecting confidentiality, integrity, and availability.
Technical ContextAI
This vulnerability chains two common web application weaknesses in a WordPress plugin context: CSRF (CWE-352) enabling an attacker to perform actions as an authenticated user, combined with stored XSS that persists malicious scripts in the application database. WPBookit is a WordPress booking management plugin (cpe:2.3:a:iqonic:wpbookit) that appears to lack anti-CSRF tokens on administrative functions handling user input. The CSRF attack serves as the delivery mechanism to bypass authentication requirements, while the stored XSS component allows injected JavaScript to execute in the context of other administrators or users viewing affected booking data. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability affects resources beyond the vulnerable component's security scope, typical when client-side code execution impacts user sessions across the broader WordPress installation.
RemediationAI
Immediately update WPBookit to a version newer than 1.0.1 if a patched release is available - check the WordPress plugin repository or Iqonic Design's official channels for the latest secure version, though no specific fixed version is documented in current intelligence. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability for vendor patch status updates. If no patch is available or upgrade is delayed, implement compensating controls: (1) disable the WPBookit plugin entirely until patched if booking functionality is not business-critical, (2) restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to limit CSRF attack surface (trade-off: reduces administrative flexibility for remote management), (3) enforce Content Security Policy headers to mitigate stored XSS impact by blocking inline script execution (trade-off: may break legitimate plugin functionality requiring code review), (4) mandate use of security plugins like Wordfence or Sucuri that provide CSRF token protection and XSS filtering at the WordPress level (trade-off: adds processing overhead and potential compatibility conflicts). Educate administrators to avoid clicking external links while logged into WordPress and to use separate browsers for administrative tasks versus general web browsing.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today