Skip to main content

WPBookit CVE-2025-26910

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-10 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 25, 2026 - 00:50 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 19:50 vuln.today
CVE Published
Mar 10, 2025 - 15:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit allows Stored XSS. This issue affects WPBookit: from n/a through 1.0.1.

AnalysisAI

Stored Cross-Site Scripting in WPBookit WordPress plugin through version 1.0.1 can be achieved via CSRF attack vector. Attackers trick authenticated administrators into executing malicious requests that inject persistent JavaScript into the booking management interface, potentially leading to session hijacking, privilege escalation, or further site compromise. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, though the CVSS:3.1 score of 7.1 reflects the Changed Scope and combined impact of both CSRF and XSS vulnerabilities affecting confidentiality, integrity, and availability.

Technical ContextAI

This vulnerability chains two common web application weaknesses in a WordPress plugin context: CSRF (CWE-352) enabling an attacker to perform actions as an authenticated user, combined with stored XSS that persists malicious scripts in the application database. WPBookit is a WordPress booking management plugin (cpe:2.3:a:iqonic:wpbookit) that appears to lack anti-CSRF tokens on administrative functions handling user input. The CSRF attack serves as the delivery mechanism to bypass authentication requirements, while the stored XSS component allows injected JavaScript to execute in the context of other administrators or users viewing affected booking data. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability affects resources beyond the vulnerable component's security scope, typical when client-side code execution impacts user sessions across the broader WordPress installation.

RemediationAI

Immediately update WPBookit to a version newer than 1.0.1 if a patched release is available - check the WordPress plugin repository or Iqonic Design's official channels for the latest secure version, though no specific fixed version is documented in current intelligence. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability for vendor patch status updates. If no patch is available or upgrade is delayed, implement compensating controls: (1) disable the WPBookit plugin entirely until patched if booking functionality is not business-critical, (2) restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to limit CSRF attack surface (trade-off: reduces administrative flexibility for remote management), (3) enforce Content Security Policy headers to mitigate stored XSS impact by blocking inline script execution (trade-off: may break legitimate plugin functionality requiring code review), (4) mandate use of security plugins like Wordfence or Sucuri that provide CSRF token protection and XSS filtering at the WordPress level (trade-off: adds processing overhead and potential compatibility conflicts). Educate administrators to avoid clicking external links while logged into WordPress and to use separate browsers for administrative tasks versus general web browsing.

Share

CVE-2025-26910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy