Executive Summary

CVE-2025-12685 is a Cross-Site Request Forgery (CSRF) vulnerability in the WPBookit WordPress plugin up to version 1.0.7. The plugin lacks CSRF protection when deleting customers, which means an attacker can trick an authenticated user into unknowingly sending a malicious request that deletes any customer. This can be done without the attacker being authenticated themselves, exploiting the absence of proper verification in the delete customer action. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an unauthenticated attacker to delete any customer from the WPBookit plugin by exploiting the CSRF flaw. This could lead to loss of customer data, disruption of service, and potential damage to business operations relying on the plugin for customer management. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to reproduce the CSRF attack using a curl command that sends a POST request to the WordPress admin AJAX endpoint (`wp-admin/admin-ajax.php`) with parameters `action=wpb_ajax_post`, `route_name=delete_customer`, and `delete_user_id=ID_USER` where `ID_USER` is the target customer's user ID. Monitoring for such suspicious POST requests targeting this endpoint with these parameters can help detect exploitation attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

As of the latest update, no fix is available for this issue. Immediate mitigation steps include restricting access to the WordPress admin AJAX endpoint to trusted users only, implementing additional CSRF protections at the web server or application firewall level, and monitoring for suspicious requests that match the attack pattern. Additionally, consider disabling or removing the WPBookit plugin until a patch is released. [1]

Useful 0 Not Useful 0