CVE-2025-7965 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the CBX Restaurant Booking WordPress plugin, specifically in versions up to 1.2.1. This plugin is used to manage restaurant bookings on WordPress sites. The vulnerability arises because the plugin lacks proper CSRF protections when updating its settings. CSRF vulnerabilities allow an attacker to trick an authenticated administrator into performing unwanted actions without their consent by exploiting the trust that a web application has in the user's browser. In this case, an attacker could craft a malicious web page or link that, when visited by a logged-in WordPress administrator, could cause the plugin's settings to be changed without the administrator's knowledge or approval. Since the affected functionality involves administrative settings, unauthorized changes could lead to misconfiguration, potentially affecting the booking system's behavior, availability, or security posture. The vulnerability does not require the attacker to have direct access to the administrator's credentials but does require the administrator to be logged in and to visit a malicious page or link. There is no CVSS score assigned yet, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-352, which is a well-known web security weakness related to CSRF attacks. No official patches or updates are currently linked, indicating that mitigation may require manual intervention or waiting for an official update from the plugin developers.

For European organizations using the CBX Restaurant Booking plugin on their WordPress sites, this vulnerability could lead to unauthorized changes in booking configurations or administrative settings. This could disrupt business operations by causing booking errors, denial of service to customers, or manipulation of reservation data. Confidentiality risks are moderate since the vulnerability does not directly expose sensitive data but could be leveraged in multi-stage attacks. Integrity is significantly impacted as unauthorized changes could alter booking workflows or administrative controls. Availability could also be affected if settings changes disrupt the booking system's normal operation. Given the reliance on WordPress for many small and medium enterprises in Europe, especially in the hospitality sector, this vulnerability could affect a broad range of businesses. The requirement for an authenticated administrator session limits the attack scope but does not eliminate risk, especially in environments where administrators may be targeted via phishing or social engineering to visit malicious sites. The absence of known exploits reduces immediate risk but does not preclude future exploitation. Organizations could face reputational damage and customer trust erosion if booking systems are compromised or disrupted.

European organizations should immediately audit their WordPress sites for the presence of the CBX Restaurant Booking plugin and identify if they are running vulnerable versions (up to 1.2.1). Until an official patch is released, administrators should be advised to avoid visiting untrusted websites while logged into WordPress admin accounts to reduce the risk of CSRF exploitation. Implementing web application firewalls (WAFs) with rules to detect and block CSRF attack patterns can provide an additional layer of defense. Organizations should also enforce strict administrative session management policies, including short session timeouts and multi-factor authentication (MFA) for WordPress admin accounts to reduce the risk of session hijacking. Reviewing and hardening WordPress security configurations, including disabling unnecessary plugins and limiting admin user privileges, can further reduce attack surface. Monitoring administrative actions and changes in plugin settings through logging and alerting can help detect suspicious activities early. Finally, organizations should track updates from the plugin vendor and apply patches promptly once available.