CVE-2025-54036

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Cross Site Request Forgery.This issue affects Webba Booking: from n/a through <= 5.1.20.

Analysis

Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.

Technical Context

This is a CSRF vulnerability (CWE-352) in a WordPress appointment booking plugin. CSRF attacks exploit the trust a web application has in a user's browser-when an authenticated user visits a malicious page controlled by an attacker, the browser automatically includes session cookies with requests to the vulnerable application. The plugin likely lacks proper nonce validation (WordPress's primary CSRF mitigation mechanism) on state-changing actions such as appointment creation, modification, deletion, or settings changes. Affected product: Webba Booking (webba-booking-lite) WordPress plugin, CPE context suggests WordPress plugin ecosystem where CSRF protection relies on WordPress nonce functions.

Affected Products

Webba Booking (webba-booking-lite) WordPress plugin from version 1.0 through version 5.1.20 is affected. The vulnerability was reported by Patchstack on the WordPress plugin repository. No other products or variations are listed as affected.

Remediation

Update Webba Booking (webba-booking-lite) to a patched version newer than 5.1.20. Verify the update on the WordPress plugin repository or Patchstack's vulnerability database (https://patchstack.com/database/Wordpress/Plugin/webba-booking-lite/vulnerability/wordpress-webba-booking-plugin-5-1-20-cross-site-request-forgery-csrf-vulnerability?_s_id=cve). If an immediate update is unavailable, ensure proper nonce validation is implemented on all state-changing operations and audit plugin code for missing nonce checks in form submissions and AJAX handlers. As a temporary mitigation, restrict plugin access to trusted administrators and monitor for suspicious appointment modifications.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-54036 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy