WordPress Plugin Vulnerabilities

WPBookit <= 1.0.7 - Customer Deletion via CSRF

Description

The plugin lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
wpbookit
No known fix

References

CVE
CVE-2025-12685

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Drtime
Submitter
Drtime
Submitter website
https://t.me/drtime_02111
Verified
Yes
WPVDB ID
e5ba488a-b43d-4c5f-9716-4b24701999f3

Timeline

Publicly Published
2025-12-12 (about 1 month ago)
Added
2025-12-12 (about 1 month ago)
Last Updated
2025-12-12 (about 1 month ago)

Other

Published
Title
Published
2022-09-05
Title
Login Block IPs <= 1.0.0 - Arbitrary Setting Update via CSRF
Published
2024-10-11
Title
ImagePress – Image Gallery < 1.3.0 - Cross-Site Request Forgery to Plugin Settings Update
Published
2023-09-29
Title
CopyRightPro <= 2.1 - Settings Update via CSRF
Published
2025-12-11
Title
Secure Copy Content Protection and Content Locking < 4.9.3 - Cross-Site Request Forgery to Data Export
Published
2025-12-03
Title
Business Directory < 6.4.20 - Cross-Site Request Forgery