Description
Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Cross Site Request Forgery.This issue affects Webba Booking: from n/a through <= 5.1.20.
Published: 2025-07-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Webba Appointment Booking Webba Booking plugin for WordPress contains a CSRF weakness (CWE-352) that lets an attacker lure an authenticated user into performing unintended booking actions. The flaw does not provide remote code execution or denial of service but can lead to unauthorized appointment creation, modification, or cancellation, potentially altering service schedules or privacy of customers.

Affected Systems

The vulnerability is present in all releases of the Webba Booking plugin up to and including version 5.1.20. No older supported version is listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would likely exploit it by sending a forged request from a malicious link, email, or embedded form to a logged‑in user’s browser. Relying on the absence of CSRF tokens in the plugin’s request handling is the main exploitation vector.

Generated by OpenCVE AI on April 30, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Webba Booking plugin to its latest release, which includes CSRF protection for all booking actions.
  • If the patch is not yet available, temporarily disable or restrict the booking creation, modification, and cancellation endpoints until a nonce or token implementation can be added to the forms.
  • Configure a web application firewall or security plugin to block cross‑origin POST/PUT requests to the booking URLs that lack a valid WordPress nonce or that originate from a different domain.

Generated by OpenCVE AI on April 30, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21666 Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking allows Cross Site Request Forgery. This issue affects Webba Booking: from n/a through 5.1.20.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking allows Cross Site Request Forgery. This issue affects Webba Booking: from n/a through 5.1.20. Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Cross Site Request Forgery.This issue affects Webba Booking: from n/a through <= 5.1.20.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 16 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking allows Cross Site Request Forgery. This issue affects Webba Booking: from n/a through 5.1.20.
Title WordPress Webba Booking plugin <= 5.1.20 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:29.717Z

Reserved: 2025-07-16T08:51:58.889Z

Link: CVE-2025-54036

cve-icon Vulnrichment

Updated: 2025-07-16T20:01:31.595Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:30.923

Modified: 2026-04-23T15:32:44.777

Link: CVE-2025-54036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:45:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)