CVE-2025-12685 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WPBookit WordPress plugin, specifically affecting versions through 1.0.7. The vulnerability arises because the plugin fails to implement CSRF tokens or other anti-CSRF mechanisms when processing requests to delete customer records. This security oversight allows an attacker to craft malicious web requests that, when executed by an authenticated administrator’s browser, can delete customer data without their consent or knowledge. The vulnerability is exploitable remotely without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact primarily affects the confidentiality and integrity of customer data, as unauthorized deletion can lead to data loss and potential disruption of business operations. Although no public exploits have been reported, the vulnerability’s presence in a widely used WordPress plugin for booking management systems poses a tangible risk. The plugin’s role in managing customer information makes the vulnerability particularly sensitive, as attackers could disrupt service continuity or cause reputational damage. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by affected users.

The vulnerability allows attackers to delete customer records without authorization, impacting data confidentiality and integrity. This can lead to loss of critical customer information, disruption of booking and customer management workflows, and potential reputational damage for organizations relying on WPBookit. Since the attack requires no authentication or user interaction, it can be executed remotely and silently, increasing the risk of widespread exploitation. Organizations may face operational downtime while restoring lost data, and customers could lose trust due to data mishandling. Although availability is not directly affected, the indirect impact on business continuity can be significant. The vulnerability is particularly concerning for businesses that rely heavily on WPBookit for customer management, including small to medium enterprises in service industries such as hospitality, healthcare, and education.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the WordPress admin interface to trusted IP addresses or VPNs to reduce exposure. 2) Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious CSRF attack patterns targeting customer deletion endpoints. 3) Educate administrators to avoid clicking on suspicious links or visiting untrusted websites while logged into WordPress. 4) Regularly back up customer data and test restoration procedures to minimize impact from potential data loss. 5) Monitor logs for unusual deletion activities or unexpected HTTP requests to the plugin’s endpoints. 6) Consider temporarily disabling the customer deletion feature if feasible until a patch is available. 7) Stay updated with WPBookit plugin releases and apply security updates promptly once available.