Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Unauthenticated remote CSRF needs victim interaction (PR:N/UI:R); integrity-High as forged actions change state, but confidentiality/availability impact is limited and likely below the vendor's triple-High.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
AnalysisAI
Cross-Site Request Forgery in the Eagle Booking WordPress plugin (versions 1.3.4.3 and earlier) lets an unauthenticated attacker forge state-changing requests that execute with a logged-in victim's privileges when that victim is lured into triggering a malicious page. Reported through Patchstack and tracked as CVE-2025-68052 (CWE-352) with a CVSS 8.8 score, it has no public exploit identified at time of analysis and is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user (UI:R), real-world impact depends on which privileged user is targeted.
Technical ContextAI
The flaw is a classic CWE-352 Cross-Site Request Forgery in Eagle Booking, a WordPress booking/reservation plugin. CSRF occurs when an application performs sensitive, state-changing actions based solely on the browser's ambient session cookies without validating an unpredictable, request-bound anti-CSRF token (in WordPress, typically a nonce checked via wp_verify_nonce/check_admin_referer). An attacker who controls or injects content on any external site can cause the victim's authenticated browser to silently submit requests to the vulnerable plugin endpoint. No CPE strings were provided in the input beyond the product/version range; the only reference is the Patchstack database advisory, and the affected component is the Eagle Booking plugin code path that processes requests without nonce enforcement.
RemediationAI
No vendor-released patch version is identified in the available data, so the input does not confirm a fixed release; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the latest patched version and upgrade to it as soon as it is available. Until a fixed release is confirmed, compensating controls include placing the WordPress admin and plugin endpoints behind a WAF with CSRF/referer-origin checks, enforcing SameSite=Lax or Strict on authentication cookies to blunt cross-site request delivery (side effect: may break legitimate cross-site embeds or third-party integrations), restricting access to the plugin's administrative functions by IP or VPN where feasible, and training privileged users not to follow untrusted links while logged in. If the plugin is non-essential, deactivating and removing Eagle Booking eliminates the exposure at the cost of losing booking functionality.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210357
GHSA-mfrc-v4qq-frq6