CVE-2025-26910
Published: 10 March 2025
Summary
CVE-2025-26910 is a high-severity CSRF (CWE-352) vulnerability in Iqonic Wpbookit. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26910 is a Cross-Site Request Forgery (CSRF) vulnerability in the WPBookit WordPress plugin developed by Iqonic Design, which enables Stored XSS. This issue affects WPBookit versions from n/a through 1.0.1 and is associated with CWE-352.
The vulnerability can be exploited by unauthenticated remote attackers (AV:N/PR:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). Exploitation involves tricking authenticated users into submitting malicious requests, resulting in the storage of XSS payloads. This leads to low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), but with changed scope (S:C), yielding a CVSS v3.1 base score of 7.1.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve. The vulnerability was published on 2025-03-10.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7716
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin directly enables exploitation of the web application (T1190) to inject and store XSS payloads, which facilitates arbitrary JavaScript execution in the browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires session authenticity mechanisms such as CSRF tokens to prevent unauthorized forged requests from storing XSS payloads.
SI-10 enforces input validation to reject malicious XSS payloads submitted via the CSRF vulnerability before storage.
SI-15 applies output filtering and encoding to neutralize any stored XSS payloads resulting from CSRF exploitation.