Description
Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan occupancyplan allows SQL Injection.This issue affects occupancyplan: from n/a through <= 1.0.3.0.
Published: 2025-05-23
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported flaw is a Cross‑Site Request Forgery (CSRF) condition in the occupancyplan WordPress plugin. This defect permits an attacker to construct a request that will be accepted by the application on behalf of a logged‑in user and trigger arbitrary SQL statements, potentially allowing data disclosure, modification or deletion. The CVSS score of 8.2 places the weakness in the high severity range, indicating significant risk if exploited.

Affected Systems

All installations of the occupancyplan plugin distributed by vendor x000x, from the earliest revision through version 1.0.3.0, are vulnerable. No other products or earlier revisions are listed as affected in the available data.

Risk and Exploitability

The EPSS score is below 1 %, implying that widespread exploitation is currently unlikely, and the vulnerability has not been recorded by CISA in its KEV catalogue. The likely attack vector involves an attacker embedding a malicious URL in an email or on a website, tricking a logged‑in administrator into clicking it, and causing the plugin to execute harmful SQL. Because the weakness requires a victim who has the appropriate privileges, the scope is limited to systems where the plugin is enabled and users assign administrative rights. Vendors should treat the flaw as high risk until a patch is installed.

Generated by OpenCVE AI on May 1, 2026 at 08:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the occupancyplan plugin to the latest patched release that removes the CSRF‑to‑SQL injection flaw.
  • If a newer version is unavailable, uninstall and permanently delete the occupancyplan plugin from the WordPress installation.
  • Until a patch is available, restrict the plugin’s usage to a minimal set of trusted administrative accounts and consider implementing additional CSRF protections such as server‑side nonce verification.

Generated by OpenCVE AI on May 1, 2026 at 08:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28047 Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan allows SQL Injection. This issue affects occupancyplan: from n/a through 1.0.3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan allows SQL Injection. This issue affects occupancyplan: from n/a through 1.0.3.0. Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan occupancyplan allows SQL Injection.This issue affects occupancyplan: from n/a through <= 1.0.3.0.
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan allows SQL Injection. This issue affects occupancyplan: from n/a through 1.0.3.0.
Title WordPress occupancyplan plugin <= 1.0.3.0 - CSRF to SQL Injection vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.907Z

Reserved: 2025-04-24T14:22:30.738Z

Link: CVE-2025-46458

cve-icon Vulnrichment

Updated: 2025-05-23T14:49:21.918Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:35.070

Modified: 2026-04-23T15:30:01.737

Link: CVE-2025-46458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses