CVE-2025-46251 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-46251?

CVE-2025-46251 has a CVSS score of 7.1 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in the VikRestaurants WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects all WordPress sites using VikRestaurants Table Reservations and Take-Away plugin versions up to 1.3.3.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in the VikRestaurants WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. This affects all WordPress sites using VikRestaurants Table Reservations and Take-Away plugin versions up to 1.3.3.

💻 Affected Systems

Products:

VikRestaurants Table Reservations and Take-Away WordPress plugin

Versions: n/a through 1.3.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled and administrator access.

📦 What is this software?

Vikrestaurants Table Reservations And Take Away by E4jconnect

View all CVEs affecting Vikrestaurants Table Reservations And Take Away →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could chain this CSRF with stored XSS to compromise administrator accounts, deface websites, or steal sensitive data.

🟠

Likely Case

Attackers create malicious forms that trick administrators into changing plugin settings or injecting malicious content.

🟢

If Mitigated

With proper CSRF tokens and same-origin policies, the vulnerability would be prevented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated administrators into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-table-reservations-and-take-away-plugin-1-3-3-csrf-to-stored-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find VikRestaurants plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

CSRF Protection Headers

all

Implement Content Security Policy (CSP) headers to restrict form submissions.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; form-action 'self'"

Disable Plugin

linux

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate vikrestaurants

🧯 If You Can't Patch

Restrict administrator access to trusted networks only.
Implement web application firewall (WAF) rules to block CSRF patterns.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > VikRestaurants for version number. If version is 1.3.3 or lower, you are vulnerable.

Check Version:

wp plugin get vikrestaurants --field=version

Verify Fix Applied:

After update, confirm plugin version shows 1.3.4 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to VikRestaurants admin endpoints without referrer headers.
Multiple failed CSRF token validations in WordPress debug logs.

Network Indicators:

HTTP requests with missing or forged Referer headers to plugin admin pages.
Unexpected cross-origin form submissions to VikRestaurants endpoints.

SIEM Query:

source="wordpress.log" AND "vikrestaurants" AND ("csrf" OR "invalid nonce")

📊 Metadata

CVE ID: CVE-2025-46251

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-352

EPSS Score: 0.03% exploit probability (8.1th percentile)

Published: April 22, 2025

Last Updated: April 30, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-table-reservations-and-take-away-plugin-1-3-3-csrf-to-stored-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46251, you might also want to check these: