Platform
wordpress
Component
wpbookit
Fixed in
1.0.8
CVE-2025-12685 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WPBookit WordPress plugin. This flaw allows an unauthenticated attacker to delete customer records without proper authorization. The vulnerability impacts versions of WPBookit up to and including 1.0.7. A fix is available in a later version of the plugin.
The primary impact of this CSRF vulnerability is the unauthorized deletion of customer data within the WPBookit plugin. An attacker could craft a malicious request, potentially embedded in a website or email, that, when visited by a legitimate user of the WordPress site, would trigger the deletion of customer records. This could lead to data loss, disruption of services, and potential reputational damage for the website owner. The attacker does not need to authenticate to exploit this vulnerability; a simple crafted request is sufficient. The scope of the impact depends on the sensitivity of the customer data stored within WPBookit and the number of customers affected.
CVE-2025-12685 was publicly disclosed on 2026-01-02. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is considered low, but vigilance is still advised.
Exploit Status
EPSS
0.01% (1% percentile)
CVSS Vector
The primary mitigation for CVE-2025-12685 is to upgrade the WPBookit plugin to a version that includes the CSRF protection fix. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the customer deletion functionality to authenticated administrators only. Additionally, implement a Web Application Firewall (WAF) rule to filter out requests that lack a valid CSRF token for the customer deletion endpoint. Regularly review WordPress plugin security best practices and ensure all plugins are kept up-to-date to minimize the attack surface. After upgrade, confirm by attempting to delete a test customer via a different browser session to ensure CSRF protection is active.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12685 is a Cross-Site Request Forgery (CSRF) vulnerability in the WPBookit WordPress plugin, allowing unauthorized customer deletion.
You are affected if you are using WPBookit version 1.0.7 or earlier. Upgrade to a patched version to resolve the issue.
Upgrade the WPBookit plugin to the latest available version. If upgrading is not possible, restrict access to the customer deletion functionality and implement a WAF rule.
There are currently no known public exploits or confirmed active exploitation campaigns targeting this vulnerability.
Refer to the WPBookit plugin documentation and website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.