CVE-2025-63012

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.

Analysis

Cross-site request forgery in ThimPress WP Hotel Booking plugin version 2.2.8 and earlier allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) and results in limited information disclosure, with a CVSS score of 4.3. Exploitation probability is very low per EPSS (0.02% percentile 5%), suggesting this is a lower-priority vulnerability despite public researcher disclosure.

Technical Context

Cross-site request forgery (CWE-352) occurs when a web application fails to validate that requests originate from legitimate sources. In this WordPress plugin, the vulnerability stems from insufficient CSRF token validation on state-changing operations. The affected plugin (wp-hotel-booking, CPE: wp:wp-hotel-booking) is a WordPress plugin providing hotel booking functionality. WordPress plugins execute within the WordPress application context and can access sensitive booking and user data. The lack of proper nonce validation or CSRF tokens on hotel booking operations (such as reservation modifications or cancellations) allows attackers to forge requests that execute with the privileges of logged-in users who visit attacker-controlled pages.

Affected Products

ThimPress WP Hotel Booking plugin (wp-hotel-booking) version 2.2.8 and all earlier versions are affected. The plugin is distributed through WordPress.org and is identified by CPE wp:wp-hotel-booking. Additional details and vulnerability tracking are available at the Patchstack vulnerability database: https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Remediation

Update the WP Hotel Booking plugin to the patched version released after 2.2.8. Site administrators should navigate to WordPress Dashboard → Plugins → Installed Plugins, locate WP Hotel Booking, and install the latest available version. If a patched version is not yet available, implement temporary mitigation by disabling the plugin until an update is released, or restrict access to the WordPress admin and booking functionality to known IP addresses. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve contains additional guidance and patch availability confirmation.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-63012 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy