Primary

Context

WPBookit WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Customer Deletion

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WPBookit WordPress plugin, affecting versions through 1.0.7. The vulnerability arises because the plugin does not implement a CSRF check when customers are deleted. This flaw could enable an unauthenticated attacker to delete any customer by exploiting the absence of CSRF protection.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of customers from the WordPress site.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the action 'wpb_ajax_post', the route name 'delete_customer', and the ID of the user to be deleted. The absence of a CSRF nonce check allows this request to be processed, resulting in the deletion of the specified customer.

Added: Jan 2, 2026, 6:22 AM

Updated: Jan 2, 2026, 6:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WPBookit WordPress Plugin Cross-Site Request Forgery Vulnerability Allowing Customer Deletion

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating