Plattform
wordpress
Komponente
wpbookit
Behoben in
1.0.8
CVE-2025-12685 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WPBookit WordPress plugin. This flaw allows an unauthenticated attacker to delete customer records without proper authorization. The vulnerability impacts versions of WPBookit up to and including 1.0.7. A fix is available in a later version of the plugin.
The primary impact of this CSRF vulnerability is the unauthorized deletion of customer data within the WPBookit plugin. An attacker could craft a malicious request, potentially embedded in a website or email, that, when visited by a legitimate user of the WordPress site, would trigger the deletion of customer records. This could lead to data loss, disruption of services, and potential reputational damage for the website owner. The attacker does not need to authenticate to exploit this vulnerability; a simple crafted request is sufficient. The scope of the impact depends on the sensitivity of the customer data stored within WPBookit and the number of customers affected.
CVE-2025-12685 was publicly disclosed on 2026-01-02. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is considered low, but vigilance is still advised.
Websites utilizing the WPBookit WordPress plugin, particularly those with sensitive customer data, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches. Sites with weak access controls or a lack of CSRF protection on other critical functionalities are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wp_bookit_delete_customer' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep wp-bookit• wordpress / composer / npm:
wp plugin update wp-bookitdisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-12685 is to upgrade the WPBookit plugin to a version that includes the CSRF protection fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the customer deletion functionality to authenticated administrators only. Additionally, implement a Web Application Firewall (WAF) rule to filter out requests that lack a valid CSRF token for the customer deletion endpoint. Regularly review WordPress plugin security best practices and ensure all plugins are kept up-to-date to minimize the attack surface. After upgrade, confirm by attempting to delete a test customer via a different browser session to ensure CSRF protection is active.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12685 is a Cross-Site Request Forgery (CSRF) vulnerability in the WPBookit WordPress plugin, allowing unauthorized customer deletion.
You are affected if you are using WPBookit version 1.0.7 or earlier. Upgrade to a patched version to resolve the issue.
Upgrade the WPBookit plugin to the latest available version. If upgrading is not possible, restrict access to the customer deletion functionality and implement a WAF rule.
There are currently no known public exploits or confirmed active exploitation campaigns targeting this vulnerability.
Refer to the WPBookit plugin documentation and website for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.