CVE-2025-64286 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WP Rentals plugin developed by WpEstate, affecting all versions up to and including 3.13.1. CSRF vulnerabilities occur when a web application does not adequately verify that requests made to it originate from authenticated and authorized users. In this case, an attacker can craft malicious web requests that, when executed by an authenticated user, cause the application to perform unintended actions such as modifying rental listings, changing user settings, or other state-changing operations within the WP Rentals plugin. The vulnerability arises due to the lack of proper anti-CSRF tokens or validation mechanisms in the plugin’s request handling. Although no public exploits have been reported yet, the vulnerability is significant because it can be exploited remotely without requiring the attacker to have direct access to the victim’s credentials or system. The attacker only needs to lure an authenticated user into visiting a malicious website or clicking a crafted link. The plugin is widely used in WordPress-based real estate websites to manage property listings and bookings, making it a valuable target for attackers aiming to disrupt services or manipulate data. The absence of a CVSS score limits precise severity quantification, but the nature of CSRF vulnerabilities typically impacts data integrity and user trust, with potential secondary impacts on availability if malicious changes disrupt service. The vulnerability was publicly disclosed on October 29, 2025, and no patches or mitigations were linked at the time of disclosure, emphasizing the need for immediate attention from site administrators.

For European organizations, especially those operating real estate platforms using WP Rentals, this vulnerability can lead to unauthorized changes in property listings, booking details, or user account settings. Such unauthorized modifications can damage business reputation, cause financial losses, and erode customer trust. In regulated environments, data integrity issues could also lead to compliance violations under GDPR if personal data is manipulated or exposed. The ease of exploitation—requiring only that an authenticated user visits a malicious page—raises the risk of widespread attacks, particularly through phishing campaigns. Disruption of rental services could impact revenue streams and customer satisfaction. Additionally, attackers could leverage this vulnerability as a foothold for further attacks, such as privilege escalation or injecting malicious content. The threat is more pronounced in countries with high WordPress market share and active real estate sectors, where WP Rentals is more likely deployed. The lack of known exploits currently provides a window for proactive mitigation but should not lead to complacency.

1. Immediately monitor for updates or patches from WpEstate and apply them as soon as they become available. 2. Implement web application firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting WP Rentals endpoints. 3. Enforce strict user session management and consider adding additional verification steps for sensitive actions within the plugin. 4. Use security plugins or custom code to add anti-CSRF tokens to all state-changing requests if the plugin does not natively support them. 5. Educate users and administrators about the risks of phishing and the importance of not clicking suspicious links while logged into administrative accounts. 6. Restrict plugin permissions to the minimum necessary roles to limit the scope of potential damage. 7. Conduct regular security audits and penetration testing focused on WordPress plugins, including WP Rentals. 8. Monitor logs for unusual or unauthorized requests that could indicate exploitation attempts. 9. Consider isolating the WP Rentals plugin functionality or using sandbox environments to reduce exposure. 10. Maintain regular backups to enable quick recovery in case of successful exploitation.