A CSRF flaw exists in the codepeople WP Time Slots Booking Form plugin in all releases up to version 1.2.30, allowing an attacker to issue authenticated actions on the site by causing a logged‑in user to submit a malicious request. This weakness can be abused to create, modify, or cancel bookings and potentially alter other booking‑related settings, thereby compromising the confidentiality, integrity, and availability of the booking system. The CVSS score of 4.3 indicates that the risk is in the low to moderate range, but the impact depends on the permissions of the victim and the sensitivity of the data handled by the plugin.

The vulnerability affects the WordPress plugin WP Time Slots Booking Form developed by codepeople. All versions from the first release (n/a) through 1.2.30 are impacted. Users running these versions on a WordPress site are at risk.

The EPSS score of less than 1% suggests that exploitation is currently uncommon, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, an attacker can exploit the flaw by inducing a legitimate user to load a crafted page or submit a form that triggers the vulnerable action. The attack does not require administrative privileges, but the attacker needs the victim to be authenticated and to perform the action as the victim. The overall risk is moderate; remediation through an update is the recommended approach.