{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12685", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-11-04T05:28:26.059Z", "datePublished": "2026-01-02T06:00:10.447Z", "dateUpdated": "2026-04-02T12:39:52.686Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:52.686Z"}, "title": "WPBookit <= 1.0.7 - Customer Deletion via CSRF", "problemTypes": [{"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WPBookit", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack."}], "references": [{"url": "https://wpscan.com/vulnerability/e5ba488a-b43d-4c5f-9716-4b24701999f3/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Drtime", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T21:08:37.289500Z", "id": "CVE-2025-12685", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T21:09:51.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-12685", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-02T21:08:37.289500Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T21:09:44.545Z"}}], "cna": {"title": "WPBookit <= 1.0.7 - Customer Deletion via CSRF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Drtime"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "WPBookit", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/e5ba488a-b43d-4c5f-9716-4b24701999f3/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:52.686Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12685", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:52.686Z", "dateReserved": "2025-11-04T05:28:26.059Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-01-02T06:00:10.447Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack."}, {"lang": "es", "value": "El plugin de WordPress WPBookit hasta la versi\u00f3n 1.0.7 carece de una verificaci\u00f3n CSRF al eliminar clientes. Esto podr\u00eda permitir a un atacante no autenticado eliminar cualquier cliente mediante un ataque CSRF."}], "id": "CVE-2025-12685", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-02T06:15:53.283", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/e5ba488a-b43d-4c5f-9716-4b24701999f3/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T22:00:38.075883+00:00", "value": {"mitigation_remediation": ["Update WPBookit to the latest release (\u2265\u202f1.0.8 if available).", "Add a CSRF nonce check to the delete customer request, for example by using `wp_nonce_field()` and verifying it before deletion.", "If the plugin is no longer required, remove or deactivate WPBookit from the WordPress installation."], "summary": {"action": "Apply Patch", "impact": "Data Destruction via Unauthenticated Customer Deletion"}, "threat_synthesis": {"affected_systems": "WordPress plugin WPBookit, versions up to\u202f1.0.7. The issue applies to all releases\u202f\u2264\u202f1.0.7; the plugin is available in the WordPress repository and may be installed on any WordPress site.", "description_and_impact": "The vulnerability is a missing CSRF check in the delete customer endpoint of the WPBookit plugin up to version\u202f1.0.7. Without this protection, an unauthenticated attacker can trick an authenticated user into visiting a crafted link or embedding a request, resulting in the deletion of the targeted customer record. This causes irreversible data loss, impacting record integrity and potentially violating data retention and compliance requirements.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity with medium impact. The EPSS score of\u202f<\u202f1\u202f% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV, but the lack of CSRF guard makes the attack path simple \u2013 an attacker only needs to host a malicious page or send a crafted HTTP request to an authenticated user's browser. The attack is feasible without any network access to the WordPress admin interface and does not require additional privileges. Thus, while the likelihood is low, the potential loss of customer data warrants timely remediation."}}}}, "created": "2026-01-05T10:14:12.629375+00:00", "updated": "2026-04-27T22:15:15.107546+00:00", "vendors": ["iqonic", "iqonic$PRODUCT$wpbookit", "iqonicdesign", "iqonicdesign$PRODUCT$wpbookit", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-352"]}