Description
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
Published: 2026-06-26
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Request Forgery flaw in the Eagle Booking plugin version 1.3.4.3 and earlier. An attacker can craft requests that the victim’s browser will unknowingly send while authenticated, allowing the attacker to perform booking‑management actions without permission. The weakness resides in CWE‑352, where request validation fails to verify token integrity, enabling unauthorized state changes that compromise the integrity of booking data.

Affected Systems

WordPress sites running the Eagle Booking plugin, version 1.3.4.3 or older, provided by Eagle-Themes.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, though the EPSS score is not available and the issue is not listed in the KEV catalog. The attack vector is likely browser‑based, relying on victim interaction with the site; no authentication is required for exploitation. Given the lack of an official patch notice in the public referenced advisory, sites using the affected plugin version remain at significant risk until the plugin is updated or mitigations applied.

Generated by OpenCVE AI on June 26, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Eagle Booking plugin to a version newer than 1.3.4.3 once available.
  • If an update is not immediately possible, disable or restrict the booking‑related endpoints that accept state‑changing requests to authenticated users only.
  • Implement CSRF token validation on the affected endpoints to ensure each state change request contains an unforgeable token generated per user session.

Generated by OpenCVE AI on June 26, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
Title WordPress Eagle Booking plugin <= 1.3.4.3 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:10:17.461Z

Reserved: 2025-12-15T10:01:11.953Z

Link: CVE-2025-68052

cve-icon Vulnrichment

Updated: 2026-06-26T17:10:10.842Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)