CVE-2025-26910 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-26910?

CVE-2025-26910 has a CVSS score of 7.1 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design's WPBookit WordPress plugin allows attackers to perform stored cross-site scripting (XSS) attacks. This affects WordPress sites using WPBookit plugin versions up to 1.0.1. Attackers can trick authenticated administrators into executing malicious actions that inject persistent scripts.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design's WPBookit WordPress plugin allows attackers to perform stored cross-site scripting (XSS) attacks. This affects WordPress sites using WPBookit plugin versions up to 1.0.1. Attackers can trick authenticated administrators into executing malicious actions that inject persistent scripts.

💻 Affected Systems

Products:

WPBookit WordPress Plugin

Versions: n/a through 1.0.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with WPBookit plugin enabled in vulnerable versions are affected. The vulnerability requires an authenticated administrator to be tricked into visiting a malicious page.

📦 What is this software?

Wpbookit by Iqonic

View all CVEs affecting Wpbookit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious JavaScript that steals administrator credentials, defaces websites, redirects visitors to malicious sites, or installs backdoors when administrators view compromised pages.

🟠

Likely Case

Attackers create fake booking forms or modify existing ones to inject malicious scripts that execute in visitors' browsers, potentially stealing session cookies or performing unauthorized actions.

🟢

If Mitigated

With proper CSRF tokens and input validation, the vulnerability would be prevented, limiting attackers to only exploiting other unrelated vulnerabilities.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick an authenticated administrator into clicking a malicious link while logged into WordPress admin panel.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0.1

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBookit plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install latest version from WordPress repository.

🔧 Temporary Workarounds

Implement CSRF Protection Manually

WordPress

Add nonce verification to WPBookit plugin forms to prevent CSRF attacks

Requires modifying plugin PHP files to add wp_nonce_field() and wp_verify_nonce() calls

🧯 If You Can't Patch

Disable WPBookit plugin completely until patched
Implement web application firewall (WAF) rules to block suspicious POST requests to WPBookit endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WPBookit version. If version is 1.0.1 or earlier, you are vulnerable.

Check Version:

wp plugin list --name=wpbookit --field=version (if WP-CLI installed) or check WordPress admin panel

Verify Fix Applied:

After updating, verify WPBookit version is greater than 1.0.1 in WordPress admin panel > Plugins > Installed Plugins.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WPBookit admin endpoints without referrer headers
Multiple failed nonce verification attempts in WordPress debug logs

Network Indicators:

Suspicious outbound connections from WordPress site to unknown domains after administrator visits booking pages

SIEM Query:

source="wordpress.log" AND ("wpbookit" OR "booking") AND ("POST" OR "nonce_failure")

📊 Metadata

CVE ID: CVE-2025-26910

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.05% exploit probability (14th percentile)

Published: March 10, 2025

Last Updated: June 27, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26910, you might also want to check these: