CVE-2025-62934
📋 TL;DR
This CSRF vulnerability in the WP Business Hours WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions, leading to stored cross-site scripting (XSS). Attackers can inject malicious scripts that execute in victims' browsers when they visit compromised pages. All WordPress sites using WP Business Hours version 1.4 or earlier are affected.
💻 Affected Systems
- WP Business Hours WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject persistent malicious scripts that steal administrator credentials, hijack sessions, deface websites, or install backdoors, potentially leading to complete site compromise.
Likely Case
Attackers create fake admin requests to inject malicious JavaScript that steals session cookies or redirects users to phishing sites when they visit affected pages.
If Mitigated
With proper CSRF protections and content security policies, the attack surface is reduced, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised page. The CSRF-to-XSS chain is well-documented and relatively easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: >1.4
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Business Hours' and check if update is available. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the WP Business Hours plugin until patched to eliminate the attack surface.
wp plugin deactivate wp-business-hours
CSRF Protection Headers
allImplement Content Security Policy (CSP) headers to restrict script execution sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent execution of injected scripts.
- Use WordPress security plugins that add CSRF protection layers to all admin actions.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WP Business Hours version. If version is 1.4 or lower, you are vulnerable.Check Version:
wp plugin get wp-business-hours --field=versionVerify Fix Applied:
After updating, verify WP Business Hours version is greater than 1.4 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with wp-business-hours actions
- Multiple failed CSRF token validations in WordPress debug logs
- Unexpected script tags in wp-business-hours settings or output
Network Indicators:
- HTTP requests with suspicious referer headers targeting admin endpoints
- Unexpected outbound connections from WordPress admin sessions
SIEM Query:
source="wordpress.log" AND ("wp-business-hours" OR "admin-ajax.php") AND ("POST" OR "csrf")