CVE-2025-58991 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability affecting the WooCommerce Booking Bundle Hours plugin developed by Cristiano Zanca, specifically versions up to 0.7.4. This vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user without their consent, leveraging the user's active session. The CSRF flaw is compounded by the presence of Stored Cross-Site Scripting (XSS), which means that malicious scripts can be persistently injected and executed in the context of the victim's browser. The CVSS 3.1 score of 7.1 indicates a high impact with network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The vulnerability affects confidentiality, integrity, and availability due to the ability to execute unauthorized commands and inject persistent scripts. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. No patches or known exploits in the wild are currently reported, but the risk remains significant given the plugin’s integration with WooCommerce, a widely used e-commerce platform for WordPress. Attackers could exploit this vulnerability to manipulate booking data, inject malicious payloads, or disrupt service availability by exploiting the CSRF to perform actions like changing bookings or configurations, while the Stored XSS could be used for session hijacking or delivering further malware.

For European organizations using WooCommerce with the Booking Bundle Hours plugin, this vulnerability poses a significant risk to e-commerce operations, customer trust, and data integrity. Exploitation could lead to unauthorized modification of booking information, financial fraud, or leakage of sensitive customer data. The Stored XSS aspect increases the risk of broader compromise through session hijacking or malware delivery, potentially affecting not only the website but also its users. Disruption of booking services can impact revenue and reputation, especially for businesses relying on online appointment or resource scheduling. Given the widespread adoption of WooCommerce in Europe, particularly among SMEs in retail, hospitality, and services sectors, the threat could have a broad operational and financial impact. Additionally, GDPR implications arise if personal data is compromised, leading to regulatory penalties and loss of customer confidence.

European organizations should immediately audit their WooCommerce installations to identify the presence of the Booking Bundle Hours plugin and its version. Until an official patch is released, mitigation should include disabling or removing the vulnerable plugin to prevent exploitation. Implementing Web Application Firewall (WAF) rules to detect and block CSRF attack patterns and suspicious POST requests targeting booking endpoints can reduce risk. Enforcing strict Content Security Policy (CSP) headers can help mitigate the impact of Stored XSS by restricting script execution. Organizations should also ensure that anti-CSRF tokens are properly implemented in all forms and state-changing requests within their WooCommerce environment. Regular monitoring of logs for unusual activities related to booking changes or script injections is recommended. Finally, educating users and administrators about phishing and social engineering risks that could facilitate CSRF exploitation is important. Once a patch becomes available, prompt application and testing in staging environments before production deployment is critical.