CVE-2025-23690: 
WordPress vulnerability analysis and mitigation

The WordPress Book a Place plugin version 0.7.1 and below contains a Cross-Site Request Forgery (CSRF) vulnerability that leads to Stored Cross-Site Scripting. The vulnerability was discovered by researcher Muhamad Agil Fachrian and was publicly disclosed on January 16, 2025. This security issue affects all installations of the Book a Place WordPress plugin up to version 0.7.1, with no official fix currently available (Patchstack).

The vulnerability has been assigned a CVSS score of 7.1 (Low severity) with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The security issue combines two vulnerability types: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The vulnerability falls under the OWASP Top 10 category A3: Injection (Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF with Stored XSS could potentially lead to persistent attacks that affect multiple users of the affected WordPress installations (Patchstack).

Currently, there is no official fix available for this vulnerability. Given the low severity impact and unlikely exploitation potential, the vulnerability has been marked as 'vPatch unnecessary'. Website administrators using the affected plugin should monitor for any suspicious activities and consider implementing general security best practices (Patchstack).