CVE-2025-49965
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress PixelBeds Channel Manager and Hotel Booking Engine plugin (up to version 1.0). It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the website without their consent. Essentially, the attacker exploits the trust a site has in the user's browser, causing the user to unknowingly execute malicious requests. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized actions being performed on your website by attackers exploiting authenticated users. This can compromise the security of your website by allowing attackers to manipulate settings or data through the victim's session. Since the plugin is abandoned and unpatched, the risk remains unless the plugin is removed or a virtual patch is applied. Automated attacks may opportunistically target this vulnerability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this CSRF vulnerability involves monitoring for unusual or unauthorized actions performed by authenticated users, especially those with higher privileges, that could indicate exploitation attempts. Since the vulnerability affects the PixelBeds Channel Manager and Hotel Booking Engine plugin up to version 1.0, checking for the presence and version of this plugin on your WordPress installation is a primary step. There are no specific commands provided in the resources, but you can use WordPress CLI commands such as 'wp plugin list' to identify installed plugins and their versions. Additionally, monitoring web server logs for suspicious POST requests or unusual user activity patterns may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the vulnerable PixelBeds Channel Manager and Hotel Booking Engine plugin, as no official fix or updated version is available. Simply deactivating the plugin is insufficient unless a virtual patch (vPatch) is applied. Patchstack offers virtual patching to automatically mitigate this vulnerability in the absence of official fixes. Therefore, users should either apply a virtual patch from Patchstack or remove the plugin entirely and switch to alternative software to eliminate the risk. [1]