CVE-2025-64286

Vulnerability

Overview

The WP Rentals theme for WordPress theme, WP Rentals, versions up to and including 3.13.1, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of request origins, allowing an attacker to allow an attacker to trick a logged-in administrator or other privileged user into unknowingly performing actions on the attacker's behalf [1].

Exploitation

Prerequisites

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form while authenticated to the WordPress site [1]. No direct authentication is needed for the attacker, but the victim must have an active session with sufficient privileges to perform the targeted action [1].

Impact

Successful CSRF exploitation can force the victim to execute unwanted actions under their current authentication, such as changing settings, creating new admin accounts, or modifying content [1]. This can lead to partial loss of integrity and availability, depending on the actions executed [1].

Mitigation

The vendor has not released a patched version beyond 3.13.1 at the time of publication. Users are advised to update the theme immediately if a fix becomes available, or to implement additional CSRF protections such as nonce validation of nonces and referrer headers [1].