CVE-2025-54036

Vulnerability

Overview

The Webba Booking plugin for WordPress (webba-booking-lite) contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 5.1.20. This flaw allows attackers to craft malicious requests that, when triggered by an authenticated administrator or other privileged user, execute unwanted actions under the victim's session. The vulnerability stems from missing or insufficient CSRF token validation in certain plugin operations [1].

Exploitation

Prerequisites

Exploitation requires user interaction—an attacker must trick a logged-in user with sufficient privileges into clicking a link, visiting a crafted page, or submitting a specially crafted form. No direct authentication is needed for the attacker, but the victim must have an active session with the WordPress site and appropriate permissions (such as an Admin role). The vulnerability can be initiated remotely over the network [1].

Impact

Successful exploitation enables an attacker to force a privileged user to perform unintended actions within the plugin's context, such as modifying booking settings, deleting appointments, or other administrative operations. The CVSS v3 score is 4.3 (Medium), indicating a low-to-moderate severity due to the required user interaction and limited impact on confidentiality or availability [1].

Mitigation

The vendor has addressed the vulnerability in version 5.1.21. Users are strongly advised to update the plugin immediately. For those unable to update immediately, enabling auto-updates for vulnerable plugins (e.g., via Patchstack) or seeking assistance from a hosting provider or developer is recommended [1].