CVE-2025-7965

Vulnerability

Overview The CBX Restaurant Booking WordPress plugin through version 1.2.1 does not include a Cross-Site Request Forgery (CSRF) check when updating its settings [1]. This means that an attacker can craft a malicious request that, when triggered by an authenticated administrator, silently modifies the plugin’s configuration without the admin's knowledge or consent.

Attack

Vector To exploit this vulnerability, an attacker must trick a logged-in administrator into performing an action—such as clicking a link or visiting a compromised page—that sends the forged request to the plugin's settings update endpoint [1]. No prior authentication or special privileges are required on the part of the attacker beyond the ability to deliver the crafted request to the admin.

Impact

A successful CSRF attack can lead to unauthorized changes to the plugin's settings, potentially altering booking functionality, redirecting data, or disabling key security features [1]. The impact is limited to the plugin's configuration and does not directly compromise user data or the underlying WordPress installation, but it can disrupt the service or be used in combination with other attacks.

Mitigation

Status As of the latest information, the plugin has no known fix for this vulnerability [1]. Users are advised to apply workarounds such as using anti-CSRF tokens in custom code or restricting administrative actions until a patch is released.