A Cross-Site Request Forgery flaw exists in the Easy Booked plugin for WordPress, allowing an attacker to submit forged requests that result in unauthorized booking operations as an authenticated user. The inability to verify request authenticity means that, if an attacker gains access to a user’s session or convinces the user to visit a malicious site, the attacker could trigger appointment creation or cancellation without the user’s consent. The vulnerability is a classic CSRF issue (CWE-352) and does not directly expose remote code execution or data exfiltration, but it can lead to unauthorized changes within the booking system and disrupt service availability.

MD Abu Jubayer Hossain Easy Booked – Appointment Booking and Scheduling Management System for WordPress is affected in all releases through and including version 2.4.5. WordPress sites that have no newer version installed are vulnerable.

The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests that the likelihood of automated exploitation is low. The vulnerability is not currently listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves sending a forged HTTP request from a malicious web page or via a script that forces the victim’s browser to submit the request. Attackers would need the victim to be authenticated to the WordPress site and to have sufficient privileges to perform booking operations. Once the CSRF request is processed, the attacker's actions will be carried out with the victim’s authority.