CVE-2025-59130

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 16:15 nvd
N/A

Tags

CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in appointify Appointify appointify allows Cross Site Request Forgery.This issue affects Appointify: from n/a through <= 1.0.8.

Analysis

Cross-site request forgery vulnerability in Appointify WordPress plugin versions up to 1.0.8 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects a WordPress plugin used for appointment scheduling, enabling attackers to manipulate plugin functionality without explicit user consent. With an EPSS score of 0.02% (5th percentile), exploitation likelihood is minimal despite the technical severity classification.

Technical Context

The vulnerability stems from insufficient CSRF token validation in the Appointify WordPress plugin (CWE-352: Cross-Site Request Forgery). WordPress plugins that fail to implement proper nonce verification or CSRF token checks are susceptible to this attack class, where an attacker can craft a malicious webpage or email containing requests that, when visited by an authenticated WordPress administrator or user with plugin permissions, execute unintended actions on behalf of that user. The Appointify plugin, which handles appointment scheduling functionality, lacks adequate request origin verification mechanisms across one or more sensitive endpoints. This allows attackers to exploit the implicit trust relationship between a user's browser and the WordPress site to trigger state-changing operations without the user's knowledge.

Affected Products

Appointify WordPress plugin is affected in versions through and including 1.0.8. The plugin is identified via CPE context as a WordPress plugin (WP plugin ecosystem) maintained by the Appointify project. All installations running Appointify version 1.0.8 or earlier are vulnerable to the CSRF attack vector.

Remediation

Update Appointify WordPress plugin to a version newer than 1.0.8 once a patched release becomes available. Consult the official Appointify plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-cross-site-request-forgery-csrf-vulnerability for the specific patched version number and installation instructions. As an interim mitigation, site administrators can restrict plugin access to trusted users only and monitor WordPress audit logs for unexpected appointment modifications. Additionally, ensure WordPress nonce-based security best practices are enforced site-wide and consider using Content Security Policy (CSP) headers to reduce CSRF attack surface.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-59130 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy