CVE-2025-49332
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49332 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin WP Time Slots Booking Form (versions up to 1.2.30). It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions without their consent, potentially compromising the integrity of the site. The vulnerability can be exploited by unauthenticated users and is classified under OWASP Top 10 category A1: Broken Access Control. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform unauthorized actions on your WordPress site through the WP Time Slots Booking Form plugin. Since it can trick privileged users into executing unwanted commands, it may lead to compromised site integrity. However, the severity is considered low with a CVSS score of 4.3, and the likelihood of exploitation is limited. Updating the plugin to version 1.2.31 or later mitigates this risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this CSRF vulnerability involves identifying if the vulnerable plugin WP Time Slots Booking Form version 1.2.30 or earlier is installed on your WordPress site. There are no specific network commands provided to detect exploitation attempts. You can check the plugin version via WordPress admin dashboard or by running commands to list installed plugins and their versions, such as 'wp plugin list' using WP-CLI. Monitoring for unusual POST requests to the plugin's endpoints from unauthenticated users may also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WP Time Slots Booking Form plugin to version 1.2.31 or later, which contains the fix. Alternatively, applying virtual patching (vPatching) provided by Patchstack can auto-mitigate the vulnerability before official patches are applied. Limiting user privileges and implementing CSRF protections such as tokens can also reduce risk. [1]