CVE-2025-62934 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Mejar WP Business Hours plugin for WordPress, affecting versions up to and including 1.4. The vulnerability enables attackers to trick authenticated users into submitting forged requests without their consent, which the plugin processes as legitimate. This leads to stored Cross-Site Scripting (XSS), where malicious scripts are permanently saved in the application and executed in the context of other users' browsers. The CVSS 3.1 score of 8.8 reflects a high-severity issue with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact spans confidentiality, integrity, and availability, as attackers can inject scripts to steal sensitive data, manipulate content, or disrupt service. The vulnerability is particularly dangerous because it does not require authentication or elevated privileges, making it accessible to remote attackers. No patches or known exploits are currently reported, but the plugin’s widespread use in business websites makes this a critical concern. The vulnerability was published on October 27, 2025, by Patchstack, and remains unpatched at the time of this report.

For European organizations, this vulnerability can lead to significant security breaches, including theft of user credentials, session hijacking, unauthorized changes to business hours displayed on websites, and defacement or disruption of services. Small and medium-sized enterprises (SMEs) relying on WP Business Hours to display operational times risk reputational damage and loss of customer trust if exploited. The stored XSS component can be leveraged to propagate malware or phishing attacks targeting site visitors, potentially affecting customers and partners across Europe. Given the plugin’s role in business communications, exploitation could disrupt customer engagement and operational transparency. The ease of exploitation without authentication and the potential for widespread impact on confidentiality, integrity, and availability elevate the threat level for European businesses, especially those with public-facing WordPress sites using this plugin.

1. Immediately monitor for updates or patches from Mejar and apply them as soon as they become available. 2. Until a patch is released, disable or uninstall the WP Business Hours plugin if feasible to eliminate exposure. 3. Implement Web Application Firewall (WAF) rules to detect and block CSRF attack patterns targeting the plugin’s endpoints. 4. Enforce strict Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 5. Educate site administrators and users about the risks of clicking on suspicious links that could trigger CSRF attacks. 6. Restrict administrative access to trusted IP addresses and enforce multi-factor authentication to reduce the risk of unauthorized actions. 7. Conduct regular security audits and vulnerability scans focusing on WordPress plugins to identify and remediate similar issues proactively. 8. Use security plugins that provide CSRF token enforcement and XSS protection as additional layers of defense.