CVE-2025-49965

Overview

The WordPress PixelBeds Channel Manager and Hotel Booking Engine plugin, version 1.0 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability. CSRF occurs when an attacker tricks a logged-in user into submitting a malicious request, leveraging the user's active session to perform actions without their consent. In this case, the plugin fails to validate or include a CSRF token on certain state-changing requests, making it possible to forge requests on behalf of an authenticated user [1].

Exploitation

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted webpage, or submitting a form that triggers the forged request. The attacker does not need to steal credentials, but must know or guess the target endpoint and action parameters. No special network access is required beyond being able to deliver the crafted link or page to the victim [1].

Impact

Successful exploitation allows an attacker to force the victim to execute unwanted actions in the context of the PixelBeds plugin, such as changing settings, modifying booking data, or performing other administrative operations that the victim is authorized to perform. The CVSS v3 base score for this vulnerability is 4.3 (Medium), indicating moderate risk due to the requirement for user interaction and the potential for privilege escalation within the plugin [1].

Mitigation

As of the advisory date, the vulnerability exists in the plugin up to version 1.0. Plugin users are strongly advised to update to the latest patched version as soon as it becomes available. If updates are not possible, users should restrict access to the plugin's settings pages and encourage administrators to avoid clicking untrusted links while logged in. Hosting providers or developers may be consulted for interim workarounds [1].