CVE-2025-59130

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Appointify WordPress plugin through version 1.0.8. The vulnerability stems from missing or insufficient anti-CSRF tokens in sensitive operations, allowing an attacker to craft malicious requests that appear legitimate to the server [1].

Exploitation requires user interaction: a privileged user (e.g., an administrator) must be tricked into clicking a crafted link, visiting a malicious page, or submitting a form. The attacker does not need any authentication, but the target user must have an active session with the Appointify plugin [1].

Successful exploitation enables an attacker to perform unintended actions on behalf of the victim. This could include modifying plugin settings, deleting data, or other configuration changes, potentially leading to further compromise of the WordPress site [1].

Appointify users should immediately update the plugin to the latest patched version if available. As a workaround, implement additional CSRF protections such as adding nonces to forms and confirming sensitive actions. Plugin authors have been notified through Patchstack's disclosure process [1].