CVE-2025-58991 Overview
CVE-2025-58991 is a Cross-Site Request Forgery (CSRF) vulnerability in the Cristiano Zanca WooCommerce Booking Bundle Hours WordPress plugin. The flaw allows an attacker to trick an authenticated administrator into submitting a crafted request that stores malicious JavaScript in the plugin's configuration. The stored payload executes in the browser of any user viewing the affected page, resulting in Stored Cross-Site Scripting (XSS). The issue affects all versions of WooCommerce Booking Bundle Hours from n/a through 0.7.4. The vulnerability is tracked under CWE-352.
Critical Impact
Successful exploitation chains CSRF with Stored XSS, allowing attackers to hijack administrator sessions, alter store content, and pivot to further compromise of the WooCommerce site.
Affected Products
- Cristiano Zanca WooCommerce Booking Bundle Hours plugin for WordPress
- All versions from n/a through 0.7.4
- WordPress sites running WooCommerce with the vulnerable plugin enabled
Discovery Timeline
- 2025-09-09 - CVE-2025-58991 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2025-58991
Vulnerability Analysis
The plugin exposes state-changing administrative actions without verifying request authenticity. WordPress plugins are expected to validate a nonce using wp_verify_nonce() or check_admin_referer() before processing form submissions or AJAX requests. WooCommerce Booking Bundle Hours up to version 0.7.4 omits or improperly implements this check on at least one settings endpoint.
Because the affected action accepts input that is later rendered in plugin pages without adequate output encoding, an attacker can persist arbitrary HTML and JavaScript through the forged request. The payload executes in the browser context of users who load the affected admin or front-end page, producing a Stored XSS condition.
User interaction is required: an authenticated administrator must visit an attacker-controlled page or click a crafted link while logged into WordPress. The scope is changed because the injected script runs against a different security context than the one targeted by the CSRF.
Root Cause
The root cause is missing or insufficient CSRF protection on plugin settings handlers, combined with inadequate sanitization and escaping of the values written to persistent storage. Both defenses are required: nonce validation prevents forged submissions, and escaping with functions such as esc_html() or wp_kses() prevents script execution on render.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a page containing an auto-submitting HTML form or image tag that targets the vulnerable plugin endpoint on the victim's WordPress site. When an authenticated administrator visits that page, the browser submits the request with valid session cookies, and the plugin stores the attacker-supplied script. Any subsequent visitor to the affected page executes the payload.
See the Patchstack advisory for WooCommerce Booking Bundle Hours for additional context on the affected endpoint.
Detection Methods for CVE-2025-58991
Indicators of Compromise
- Unexpected <script>, <iframe>, or event-handler attributes stored in WooCommerce Booking Bundle Hours plugin options within the wp_options table.
- Administrator HTTP POST requests to plugin settings endpoints without a corresponding referer from wp-admin.
- New or modified WordPress administrator accounts created shortly after an admin browsing session.
- Outbound requests from administrator browsers to unfamiliar domains when loading plugin-rendered pages.
Detection Strategies
- Audit the wp_options rows associated with the plugin for HTML markup or JavaScript content that should not be present.
- Inspect web server access logs for POST requests to plugin admin handlers that lack the standard wp-admin referer header or carry no _wpnonce parameter.
- Use WordPress integrity scanners and plugin diffing to confirm 0.7.4 or earlier is installed on production sites.
Monitoring Recommendations
- Enable WordPress audit logging to record changes to plugin settings and administrator accounts.
- Monitor browser-side telemetry on administrator workstations for script execution against the WordPress admin origin.
- Alert on anomalous administrator sessions originating from unusual geolocations or user agents.
How to Mitigate CVE-2025-58991
Immediate Actions Required
- Identify all WordPress installations running WooCommerce Booking Bundle Hours version 0.7.4 or earlier.
- Disable the plugin until a fixed version is installed if business operations permit.
- Force a password reset and session invalidation for all WordPress administrators on affected sites.
- Review plugin-stored options and recently modified posts or pages for injected scripts and remove them.
Patch Information
No fixed version is listed in the available advisory data at the time of writing. Monitor the Patchstack advisory and the plugin's WordPress.org page for an updated release that addresses CVE-2025-58991.
Workarounds
- Place the WordPress admin interface behind a Web Application Firewall (WAF) rule that enforces same-origin referer checks on plugin POST endpoints.
- Restrict access to /wp-admin/ by source IP address using web server or reverse proxy rules.
- Require administrators to use a dedicated browser profile for WordPress management to limit cross-site request exposure.
- Apply a Content Security Policy (CSP) on the WordPress site that disallows inline scripts to limit the impact of stored payloads.
# Example nginx configuration to restrict wp-admin access by source IP
location ^~ /wp-admin/ {
allow 203.0.113.0/24; # trusted admin network
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
