Skip to main content

Eagle Booking EUVDEUVD-2025-210357

| CVE-2025-68052 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-26 audit@patchstack.com GHSA-mfrc-v4qq-frq6
8.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.6 HIGH

Unauthenticated remote CSRF needs victim interaction (PR:N/UI:R); integrity-High as forged actions change state, but confidentiality/availability impact is limited and likely below the vendor's triple-High.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:31 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.

AnalysisAI

Cross-Site Request Forgery in the Eagle Booking WordPress plugin (versions 1.3.4.3 and earlier) lets an unauthenticated attacker forge state-changing requests that execute with a logged-in victim's privileges when that victim is lured into triggering a malicious page. Reported through Patchstack and tracked as CVE-2025-68052 (CWE-352) with a CVSS 8.8 score, it has no public exploit identified at time of analysis and is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user (UI:R), real-world impact depends on which privileged user is targeted.

Technical ContextAI

The flaw is a classic CWE-352 Cross-Site Request Forgery in Eagle Booking, a WordPress booking/reservation plugin. CSRF occurs when an application performs sensitive, state-changing actions based solely on the browser's ambient session cookies without validating an unpredictable, request-bound anti-CSRF token (in WordPress, typically a nonce checked via wp_verify_nonce/check_admin_referer). An attacker who controls or injects content on any external site can cause the victim's authenticated browser to silently submit requests to the vulnerable plugin endpoint. No CPE strings were provided in the input beyond the product/version range; the only reference is the Patchstack database advisory, and the affected component is the Eagle Booking plugin code path that processes requests without nonce enforcement.

RemediationAI

No vendor-released patch version is identified in the available data, so the input does not confirm a fixed release; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for the latest patched version and upgrade to it as soon as it is available. Until a fixed release is confirmed, compensating controls include placing the WordPress admin and plugin endpoints behind a WAF with CSRF/referer-origin checks, enforcing SameSite=Lax or Strict on authentication cookies to blunt cross-site request delivery (side effect: may break legitimate cross-site embeds or third-party integrations), restricting access to the plugin's administrative functions by IP or VPN where feasible, and training privileged users not to follow untrusted links while logged in. If the plugin is non-essential, deactivating and removing Eagle Booking eliminates the exposure at the cost of losing booking functionality.

Share

EUVD-2025-210357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy