CVE-2025-23690
📋 TL;DR
This CSRF vulnerability in the Book a Place WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions, which can lead to stored cross-site scripting (XSS) attacks. The vulnerability affects all versions up to and including 0.7.1. WordPress sites using this plugin are at risk.
💻 Affected Systems
- ArtkanMedia Book a Place WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that executes in visitors' browsers, potentially stealing session cookies, redirecting users to malicious sites, or performing actions on behalf of authenticated users.
Likely Case
Attackers create fake forms or links that trick administrators into unknowingly submitting malicious content, which then gets stored and served to other users.
If Mitigated
With proper CSRF tokens and input validation, the attack vector is eliminated, preventing unauthorized actions even if users are tricked into clicking malicious links.
🎯 Exploit Status
Requires social engineering to trick authenticated users into performing actions. The CSRF leads to stored XSS, which requires additional steps to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.7.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Book a Place' and check for updates. 4. If update available, click 'Update Now'. 5. If no update available, consider disabling or removing the plugin.
🔧 Temporary Workarounds
Implement CSRF Protection Manually
WordPressAdd nonce verification to plugin forms and actions
Requires modifying plugin PHP files to include wp_nonce_field() and wp_verify_nonce() calls
🧯 If You Can't Patch
- Disable the Book a Place plugin immediately
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Book a Place version. If version is 0.7.1 or earlier, you are vulnerable.Check Version:
wp plugin list --name='book-a-place' --field=versionVerify Fix Applied:
After updating, verify the plugin version is higher than 0.7.1 in WordPress admin > Plugins > Installed Plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Book a Place plugin endpoints without referrer headers
- Multiple failed nonce verification attempts in WordPress debug logs
Network Indicators:
- Cross-origin requests to Book a Place admin endpoints
- Suspicious JavaScript payloads in form submissions
SIEM Query:
source="wordpress" ("book-a-place" OR "book_a_place") AND ("nonce_failed" OR "invalid_nonce")