Description
The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.
Published: 2026-01-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Destruction via Unauthenticated Customer Deletion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing CSRF check in the delete customer endpoint of the WPBookit plugin up to version 1.0.7. Without this protection, an unauthenticated attacker can trick an authenticated user into visiting a crafted link or embedding a request, resulting in the deletion of the targeted customer record. This causes irreversible data loss, impacting record integrity and potentially violating data retention and compliance requirements.

Affected Systems

WordPress plugin WPBookit, versions up to 1.0.7. The issue applies to all releases ≤ 1.0.7; the plugin is available in the WordPress repository and may be installed on any WordPress site.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity with medium impact. The EPSS score of < 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV, but the lack of CSRF guard makes the attack path simple – an attacker only needs to host a malicious page or send a crafted HTTP request to an authenticated user's browser. The attack is feasible without any network access to the WordPress admin interface and does not require additional privileges. Thus, while the likelihood is low, the potential loss of customer data warrants timely remediation.

Generated by OpenCVE AI on April 27, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPBookit to the latest release (≥ 1.0.8 if available).
  • Add a CSRF nonce check to the delete customer request, for example by using `wp_nonce_field()` and verifying it before deletion.
  • If the plugin is no longer required, remove or deactivate WPBookit from the WordPress installation.

Generated by OpenCVE AI on April 27, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
Iqonicdesign
Iqonicdesign wpbookit
Wordpress
Wordpress wordpress
Vendors & Products Iqonic
Iqonic wpbookit
Iqonicdesign
Iqonicdesign wpbookit
Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 02 Jan 2026 06:15:00 +0000

Type Values Removed Values Added
Description The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.
Title WPBookit <= 1.0.7 - Customer Deletion via CSRF
References

Subscriptions

Iqonic Wpbookit
Iqonicdesign Wpbookit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:52.686Z

Reserved: 2025-11-04T05:28:26.059Z

Link: CVE-2025-12685

cve-icon Vulnrichment

Updated: 2026-01-02T21:09:44.545Z

cve-icon NVD

Status : Deferred

Published: 2026-01-02T06:15:53.283

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses