Description
Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1.
Published: 2025-03-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in Iqonic Design’s WPBookit plugin allows an attacker to embed malicious scripts that are stored by the plugin, creating a stored Cross‑Site Scripting vector. Because the flaw is triggered by forged requests, a malicious website could cause a user’s browser to submit data that injects persistent code into the application. If the injected script runs on subsequent visits, it could execute in the context of any authenticated user, potentially enabling session hijacking, defacement, or data exfiltration. The likely attack vector is inferred from the description to involve forged HTTP requests that submit malicious payloads. The weakness is identified as CWE‑352.

Affected Systems

The vulnerability affects the Iqonic Design WPBookit plugin for WordPress, specifically all releases from the first build through version 1.0.1. Users running WPBookit 1.0.1 or earlier are impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, and the EPSS score of less than 1 % suggests that exploitation is currently unlikely but not impossible. The flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers can exploit the vulnerability by sending forged HTTP requests to the plugin’s endpoints from a malicious site, causing a victim’s browser to unknowingly submit the request and store malicious code. Once the payload is installed, any user who accesses the compromised content can be affected, making the attack highly potent if the attacker can persuade users to visit the site.

Generated by OpenCVE AI on May 2, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBookit to the latest released version, which removes the CSRF issue.
  • If an upgrade is not immediately possible, disable the plugin or restrict its usage to trusted administrators until a patch is applied.
  • Add or enforce CSRF nonces on all forms and Ajax requests associated with the plugin to mitigate the risk of forged requests.

Generated by OpenCVE AI on May 2, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7716 Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit allows Stored XSS. This issue affects WPBookit: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit allows Stored XSS. This issue affects WPBookit: from n/a through 1.0.1. Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Jun 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:* cpe:2.3:a:iqonic:wpbookit:*:*:*:*:free:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Iqonic
Iqonic wpbookit

Wed, 21 May 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit

Tue, 11 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit allows Stored XSS. This issue affects WPBookit: from n/a through 1.0.1.
Title WordPress WPBookit plugin <= 1.0.1 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Iqonic Wpbookit
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:43.886Z

Reserved: 2025-02-17T11:50:52.141Z

Link: CVE-2025-26910

cve-icon Vulnrichment

Updated: 2025-03-10T16:56:41.515Z

cve-icon NVD

Status : Modified

Published: 2025-03-10T15:15:37.660

Modified: 2026-04-23T15:26:02.670

Link: CVE-2025-26910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses