CVE-2025-26910
Published: 10 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26910 is a Cross-Site Request Forgery (CSRF) vulnerability in the WPBookit WordPress plugin developed by Iqonic Design, which enables Stored XSS. This issue affects WPBookit versions from n/a through 1.0.1 and is associated with CWE-352.
The vulnerability can be exploited by unauthenticated remote attackers (AV:N/PR:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Exploitation involves tricking authenticated users into submitting malicious requests, resulting in the storage of XSS payloads. This leads to low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), but with changed scope (S:C), yielding a CVSS v3.1 base score of 7.1.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. The vulnerability was published on 2025-03-10.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin directly enables exploitation of the web application (T1190) to inject and store XSS payloads, which facilitates arbitrary JavaScript execution in the browser (T1059.007).