CVE-2025-62934 is a vulnerability identified in the Mejar WP Business Hours plugin for WordPress, affecting versions up to 1.4. The core issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to trick authenticated users into executing unwanted actions without their consent. This CSRF flaw facilitates Stored Cross-Site Scripting (XSS), where malicious scripts are injected and stored within the plugin's data, potentially affecting all users who view the compromised content. The vulnerability arises due to insufficient verification of the origin of requests, allowing attackers to craft malicious web pages that, when visited by an authenticated user, execute unauthorized commands on the vulnerable WordPress site. Stored XSS can lead to session hijacking, defacement, or redirection to malicious sites, severely impacting site integrity and user trust. Although no public exploits have been reported yet, the presence of stored XSS elevates the risk profile. The vulnerability affects a widely used plugin that manages business hours display, often installed on small and medium business websites. No CVSS score has been assigned, and no official patches are currently linked, indicating the need for immediate attention from site administrators. The vulnerability was published on October 27, 2025, with the assigner noted as Patchstack.

For European organizations, especially SMEs relying on WordPress and the WP Business Hours plugin, this vulnerability poses significant risks. Exploitation could lead to unauthorized changes in plugin data, persistent XSS attacks compromising site visitors and administrators, and potential session hijacking. This undermines confidentiality by exposing user sessions and data, integrity by allowing unauthorized content injection, and availability if attackers disrupt site functionality. The impact is heightened in sectors where business hours and customer interaction are critical, such as retail, hospitality, and professional services. Additionally, compromised sites can be used as vectors for broader attacks or phishing campaigns targeting European users. The lack of authentication bypass means attackers must lure authenticated users to malicious sites, but given the common use of WordPress admin accounts, this is a realistic threat. The absence of known exploits provides a window for mitigation but should not lead to complacency.

1. Immediately monitor for updates or patches released by Mejar for WP Business Hours and apply them promptly. 2. Implement Web Application Firewall (WAF) rules to detect and block CSRF and XSS attack patterns targeting the plugin. 3. Enforce strict Content Security Policy (CSP) headers to mitigate the impact of stored XSS by restricting script execution sources. 4. Limit administrative access to trusted IP addresses and enforce multi-factor authentication (MFA) to reduce the risk of session hijacking. 5. Regularly audit and sanitize plugin data inputs and outputs to detect and remove malicious scripts. 6. Educate users and administrators about phishing and social engineering tactics that could trigger CSRF attacks. 7. Consider temporarily disabling the WP Business Hours plugin if immediate patching is not possible and business operations allow. 8. Employ security plugins that provide CSRF token validation and XSS protection for WordPress environments.