Skip to main content

ThimPress WP Hotel Booking CVE-2025-63012

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-09 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.

AnalysisAI

Cross-site request forgery in ThimPress WP Hotel Booking plugin version 2.2.8 and earlier allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) and results in limited information disclosure, with a CVSS score of 4.3. Exploitation probability is very low per EPSS (0.02% percentile 5%), suggesting this is a lower-priority vulnerability despite public researcher disclosure.

Technical ContextAI

Cross-site request forgery (CWE-352) occurs when a web application fails to validate that requests originate from legitimate sources. In this WordPress plugin, the vulnerability stems from insufficient CSRF token validation on state-changing operations. The affected plugin (wp-hotel-booking, CPE: wp:wp-hotel-booking) is a WordPress plugin providing hotel booking functionality. WordPress plugins execute within the WordPress application context and can access sensitive booking and user data. The lack of proper nonce validation or CSRF tokens on hotel booking operations (such as reservation modifications or cancellations) allows attackers to forge requests that execute with the privileges of logged-in users who visit attacker-controlled pages.

Affected ProductsAI

ThimPress WP Hotel Booking plugin (wp-hotel-booking) version 2.2.8 and all earlier versions are affected. The plugin is distributed through WordPress.org and is identified by CPE wp:wp-hotel-booking. Additional details and vulnerability tracking are available at the Patchstack vulnerability database: https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

RemediationAI

Update the WP Hotel Booking plugin to the patched version released after 2.2.8. Site administrators should navigate to WordPress Dashboard → Plugins → Installed Plugins, locate WP Hotel Booking, and install the latest available version. If a patched version is not yet available, implement temporary mitigation by disabling the plugin until an update is released, or restrict access to the WordPress admin and booking functionality to known IP addresses. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve contains additional guidance and patch availability confirmation.

Share

CVE-2025-63012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy