平台
wordpress
组件
wp-hotel-booking
修复版本
2.2.9
CVE-2025-63012 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in ThimPress WP Hotel Booking. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially leading to unauthorized modifications of booking information. The vulnerability impacts versions of WP Hotel Booking from 0.0.0 up to and including 2.2.8. A patch is available in version 2.2.9.
A successful CSRF attack could allow an attacker to manipulate booking data within the WP Hotel Booking plugin. This could involve creating fraudulent bookings, modifying existing reservations, or altering pricing information. The attacker would need to lure a legitimate user into clicking a malicious link or visiting a crafted webpage. The blast radius is limited to users with access to the WordPress admin panel and the ability to manage bookings, but the potential for financial loss and reputational damage is significant, especially for businesses relying on accurate booking data.
CVE-2025-63012 was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The vulnerability's severity is assessed as MEDIUM, suggesting a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Hotels and businesses utilizing the WP Hotel Booking plugin for online reservations are at risk. Specifically, sites with shared hosting environments or those running older, unpatched WordPress installations are particularly vulnerable. Users who frequently manage bookings through the WordPress admin panel are also at higher risk.
• wordpress / composer / npm:
grep -r 'wp_hotel_booking_ajax_save_booking' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=all | grep wp-hotel-booking• wordpress / composer / npm:
wp plugin update wp-hotel-bookingdisclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-63012 is to immediately upgrade the WP Hotel Booking plugin to version 2.2.9 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input fields related to booking data are properly validated and sanitized to prevent malicious data from being submitted. After upgrading, verify the fix by attempting to trigger a booking modification through a crafted URL – it should be rejected.
更新到 2.2.9 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-63012 is a Cross-Site Request Forgery (CSRF) vulnerability affecting ThimPress WP Hotel Booking versions 0.0.0–2.2.8, allowing attackers to forge requests and potentially modify booking data.
You are affected if you are using WP Hotel Booking version 0.0.0 through 2.2.8. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WP Hotel Booking plugin to version 2.2.9 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Refer to the ThimPress website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-63012.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。