CVE-2025-25168 – A CSRF vulnerability in the BookPress WordPress... (How to Fix)

Q: What is the severity of CVE-2025-25168?

CVE-2025-25168 has a CVSS score of 7.1 (HIGH). A CSRF vulnerability in the BookPress WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions, which can lead to stored XSS attacks. This affects all WordPress sites running BookPress plugin versions up to 1.2.7. Attackers can inject malicious scripts that execute when other users visit affected pages.

📋 TL;DR

A CSRF vulnerability in the BookPress WordPress plugin allows attackers to trick authenticated administrators into executing malicious actions, which can lead to stored XSS attacks. This affects all WordPress sites running BookPress plugin versions up to 1.2.7. Attackers can inject malicious scripts that execute when other users visit affected pages.

💻 Affected Systems

Products:

BookPress – For Book Authors WordPress plugin

Versions: n/a through 1.2.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with BookPress plugin enabled. Attack requires tricking authenticated administrator into visiting malicious page.

📦 What is this software?

Bookpress by Blackandwhitedigital

View all CVEs affecting Bookpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform administrative actions on behalf of users, potentially leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious JavaScript that steals administrator cookies or session tokens, allowing them to hijack administrative accounts and modify site content.

🟢

If Mitigated

With proper CSRF protections and content security policies, the attack surface is reduced, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick authenticated users. The CSRF leads to stored XSS, making the attack persistent.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.2.7

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BookPress – For Book Authors'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and remove the plugin.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection to all form submissions and AJAX requests in the plugin

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact

🧯 If You Can't Patch

Disable or remove the BookPress plugin immediately
Implement web application firewall rules to block CSRF attempts and XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for BookPress version. If version is 1.2.7 or earlier, you are vulnerable.

Check Version:

wp plugin list --name=book-press --field=version

Verify Fix Applied:

After updating, verify BookPress version is higher than 1.2.7 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to BookPress admin endpoints without referrer headers
Multiple failed CSRF token validations

Network Indicators:

Cross-origin requests to BookPress admin endpoints
Suspicious JavaScript payloads in form submissions

SIEM Query:

source="wordpress.log" AND ("bookpress" OR "book-press") AND ("POST" OR "admin-ajax") AND NOT referer="*your-domain*"

📊 Metadata

CVE ID: CVE-2025-25168

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.05% exploit probability (14th percentile)

Published: February 7, 2025

Last Updated: February 11, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25168, you might also want to check these: