Description
Cross-Site Request Forgery (CSRF) vulnerability in Mejar WP Business Hours wp-business-hours allows Stored XSS.This issue affects WP Business Hours: from n/a through <= 1.4.
Published: 2025-10-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw exists in the WordPress WP Business Hours plugin that permits an attacker to force authenticated users to submit malicious data, resulting in a stored cross‑site scripting condition. The flaw relies on the plugin’s lack of proper CSRF protection and inadequate input filtering, enabling unauthorized code execution in a victim’s browser when the data is displayed. The primary consequence is the compromise of the affected site’s integrity and the possible theft or manipulation of user data.

Affected Systems

The vulnerability affects the Mejar WP Business Hours plugin for WordPress, with all releases up to and including version 1.4 susceptible. Any WordPress installation that has not upgraded past version 1.4 is exposed.

Risk and Exploitability

The CVSS score is 7.1, categorizing the risk as high. The EPSS score is listed as <1%, indicating a low probability of exploitation, and the vulnerability is not present in the CISA KEV catalog. The most probable attack vector involves a crafted web request sent from a compromised user’s browser or a malicious link, exploiting the plugin’s missing CSRF token on state‑changing operations. Successful exploitation would lead to stored XSS, enabling attackers to run arbitrary scripts in the context of the site’s users.

Generated by OpenCVE AI on April 29, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Business Hours to the latest version (>=1.5) that includes CSRF protection and better input sanitization.
  • If an immediate upgrade is not possible, enforce CSRF tokens on all state‑changing actions by modifying the plugin’s form handlers or applying a security patch that inserts nonces or form‑key validation.
  • Implement comprehensive input sanitization or output encoding for any data stored by the plugin to mitigate stored XSS, ensuring that user‑supplied content is escaped before rendering.

Generated by OpenCVE AI on April 29, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Mejar WP Business Hours wp-business-hours allows Stored XSS.This issue affects WP Business Hours: from n/a through <= 1.4.
Title WordPress WP Business Hours plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:06.364Z

Reserved: 2025-10-24T14:24:41.997Z

Link: CVE-2025-62934

cve-icon Vulnrichment

Updated: 2025-10-27T15:13:45.578Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:53.250

Modified: 2026-04-27T17:16:35.557

Link: CVE-2025-62934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:45:19Z

Weaknesses