CVE-2025-62934 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Mejar WP Business Hours WordPress plugin, affecting versions up to and including 1.4. The vulnerability enables an attacker to trick authenticated users into submitting unauthorized requests to the vulnerable plugin, which subsequently allows the injection and storage of malicious scripts (Stored XSS) within the website. This stored XSS can be executed in the context of users visiting the affected site, potentially leading to session hijacking, credential theft, or further malware distribution. The CVSS 3.1 base score of 8.8 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The vulnerability was reserved on 2025-10-24 and published on 2025-10-27, with no known exploits in the wild at the time of reporting. The lack of available patches necessitates immediate attention from administrators using this plugin. The vulnerability arises from insufficient CSRF protections in the plugin's request handling, allowing malicious crafted requests to be accepted and stored. This can compromise the website's security posture and user trust significantly.

For European organizations, the impact of CVE-2025-62934 can be severe, especially for those relying on WordPress sites with the WP Business Hours plugin installed. The stored XSS resulting from CSRF exploitation can lead to theft of user credentials, unauthorized actions performed on behalf of users, website defacement, and distribution of malware to visitors. This can result in data breaches, loss of customer trust, regulatory penalties under GDPR, and operational disruptions. Organizations in sectors such as e-commerce, finance, healthcare, and public services are particularly vulnerable due to the sensitive nature of their data and the reliance on web presence. The attack requires user interaction but no authentication, increasing the attack surface. The high CVSS score indicates that the vulnerability can be exploited remotely with relative ease, potentially affecting a large number of users and systems. Additionally, the stored XSS can be leveraged to escalate attacks within the network, impacting internal systems if administrative users are targeted.

1. Immediately assess if the WP Business Hours plugin is installed and identify the version. 2. If possible, update the plugin to a patched version once available from the vendor. 3. If no patch is available, consider disabling or uninstalling the plugin to eliminate the attack vector. 4. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts on the website. 5. Employ Web Application Firewalls (WAF) with rules to detect and block CSRF and XSS attack patterns targeting the plugin endpoints. 6. Educate users and administrators about phishing and social engineering risks to reduce successful user interaction exploitation. 7. Regularly monitor web server logs and security alerts for suspicious activities related to the plugin. 8. Conduct security audits and penetration testing focusing on CSRF and XSS vulnerabilities in WordPress environments. 9. Enforce multi-factor authentication for administrative access to reduce the impact of compromised credentials. 10. Backup website data regularly to enable quick recovery in case of successful exploitation.