VikBooking Hotel Booking Engine & PMS < 1.7.3 – Cross-Site Request Forgery to Settings Update | CVE 2025-22670 | Plugin Vulnerabilities

Description

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 1.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/101fd983-bf41-4d3f-81a3-ddc14c55dfea

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

28d8431c-b944-443b-9081-ee340d372d80

Timeline

Publicly Published

2025-02-03 (about 1 year ago)

Added

2025-02-12 (about 1 year ago)

Last Updated

2025-02-12 (about 1 year ago)

Other

Published

Title

Published

2023-08-28

Title

Social Share Boost <= 4.5 - Plugin Settings Update via CSRF

Published

2024-04-04

Title

Classified Listing < 3.0.5 - Cross-Site Request Forgery to Account Takeover via rtcl_update_user_account

Published

2023-08-16

Title

WooCommerce PDF Invoice Builder < 1.2.91 - Invoice Fields Creation via CSRF

Published

2025-08-25

Title

BetPress <= 1.0.1 Lite - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2019-06-24

Title

Admin Renamer Extender <= 3.2.1 - CSRF