Platform
wordpress
Component
wp-hotel-booking
Fixed in
2.2.9
CVE-2025-63012 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in ThimPress WP Hotel Booking. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications of booking information. The vulnerability impacts versions of WP Hotel Booking from 0.0.0 up to and including 2.2.8. A patch is available in version 2.2.9.
A successful CSRF attack could allow an attacker to manipulate booking data within the WP Hotel Booking plugin. This could involve creating fraudulent bookings, modifying existing reservations, or altering pricing information. The attacker would need to lure a legitimate user into clicking a malicious link or visiting a crafted webpage. The blast radius is limited to users with access to the WordPress admin panel and the ability to manage bookings, but the potential for financial loss and reputational damage is significant, especially for businesses relying on accurate booking data.
CVE-2025-63012 was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is assessed as MEDIUM, suggesting a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-63012 is to immediately upgrade the WP Hotel Booking plugin to version 2.2.9 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input fields related to booking data are properly validated and sanitized to prevent malicious data from being submitted. After upgrading, verify the fix by attempting to trigger a booking modification through a crafted URL – it should be rejected.
Update to version 2.2.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-63012 is a Cross-Site Request Forgery (CSRF) vulnerability affecting ThimPress WP Hotel Booking versions 0.0.0–2.2.8, allowing attackers to forge requests and potentially modify booking data.
You are affected if you are using WP Hotel Booking version 0.0.0 through 2.2.8. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WP Hotel Booking plugin to version 2.2.9 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Refer to the ThimPress website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-63012.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.