← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-22301 · CWE-352 · Disclosed 2025-01-07

Cross-Site Request Forgery

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a break-in and more a forged sticky note that only works if the site owner reads it while already at the desk

CVE-2025-22301 is a CSRF flaw in the WordPress MyBookTable Bookstore plugin affecting versions through 3.5.3 and fixed in 3.5.4. Wordfence attributes it to missing or incorrect nonce validation in mbt_add_admin_notices(), which lets an unauthenticated attacker trick a logged-in administrator into making an unwanted state-changing request that can add the plugin's pages.

The vendor's MEDIUM 5.4 score is technically defensible in a vacuum, but it overstates operational urgency for enterprise patch queues. This is not unauthenticated RCE, not auth bypass, not data theft, and not broadly wormable; it needs the plugin to be installed, a privileged WordPress admin session, and a successful lure. That combination sharply narrows both reachable population and reliable exploitation, so this lands as LOW in the real world.

"This is an admin-click nuisance, not a fleet-emergency patch."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Identify a site running mybooktable

An attacker first needs a WordPress site that actually runs the vulnerable plugin. In practice this is done with basic recon using browser requests, curl, WP enumeration, or a tool like WPScan against public assets and plugin paths. The exploit chain dies immediately if the plugin is absent or already updated past 3.5.3.
Conditions required:
  • Target runs WordPress
  • MyBookTable Bookstore plugin is installed
  • Installed version is <= 3.5.3
Where this breaks in practice:
  • WordPress.org shows only a small install base for this plugin
  • Plugin presence/version is not always externally fingerprintable
  • A large enterprise fleet usually has very few author-marketing plugins at all
Detection/coverage: External vuln scanners may spot exposed plugin files, but reliable version detection is inconsistent. Asset/SBOM or WP-CLI inventory on the host is better than perimeter scanning.
STEP 02

Build a forged request

The attacker then creates a simple CSRF lure, typically an HTML page or direct link assembled with Burp Suite, browser dev tools, or plain hand-written HTML. Because the reported weakness is missing/incorrect nonce validation around mbt_add_admin_notices(), the payload targets a state-changing admin action without needing valid anti-CSRF material.
Conditions required:
  • Attacker can determine the vulnerable endpoint/action
  • Request shape matches what the plugin expects
Where this breaks in practice:
  • Impact is limited to the specific state change exposed by this function
  • This is not a generalized admin takeover primitive
  • No strong public exploit corpus was found, so actors still need to assemble their own trivial PoC
Detection/coverage: Most commodity scanners won't prove exploitability here. Web logs may show an unusual admin request path or referrer, but this is often missed unless WordPress admin actions are centrally logged.
STEP 03

Social-engineer a logged-in administrator

The forged request only works if a privileged user with an active WordPress session visits the lure or clicks the crafted link. Common delivery paths are phishing email, chat, forum messages, or malicious content on a website the admin browses while still authenticated to /wp-admin/.
Conditions required:
  • Victim is a WordPress administrator or similarly privileged user
  • Victim is logged in at the time of click/visit
  • Victim performs the required interaction
Where this breaks in practice:
  • This is user-interaction dependent
  • It requires admin context, which implies a much smaller target set than ordinary site visitors
  • Email security, browser isolation, secure web gateways, and basic user skepticism all cut success rates
Detection/coverage: Mail security and browser telemetry are more likely to catch the delivery stage than the CSRF itself. If EDR/browser isolation is in place, the social-engineering prerequisite is where defenders usually win.
STEP 04

Land the unwanted page-creation action

If the admin is successfully lured, the plugin performs the action under that admin's session and can add MyBookTable pages. The result is limited integrity impact with some operational annoyance; there is no evidence in the public record reviewed that this CVE alone yields code execution, credential theft, or tenant-wide compromise.
Conditions required:
  • The admin request is accepted by the vulnerable plugin logic
  • WordPress permissions allow the resulting action
Where this breaks in practice:
  • Blast radius is narrow and feature-specific
  • The outcome is visible and often reversible
  • By itself this is poor material for mass exploitation campaigns
Detection/coverage: WordPress audit logging plugins, admin activity logs, or file/content integrity review can reveal unexpected page creation after the fact. Signature-based network detection is weak because the request often looks like normal authenticated admin traffic.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of active exploitation found in the reviewed sources, and CISA KEV does not list CVE-2025-22301.
PoC availabilityNo notable public GitHub/Exploit-DB PoC surfaced in review; however, this is still easy to hand-craft as a basic HTML/link CSRF once the endpoint is known.
EPSS0.0009 from the supplied intel, which is very low. Percentile was not supplied in the prompt.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector meaningAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L means network-reachable but click-dependent, with no confidentiality impact and only low integrity/availability impact.
Affected versionsMyBookTable Bookstore <= 3.5.3 according to NVD, Patchstack, and Wordfence.
Fixed version3.5.4 is the first fixed release. WordPress.org currently shows the plugin at 3.6.0, so supported current installs already have a patched line available.
Root cause / vulnerable functionWordfence says the flaw is due to missing or incorrect nonce validation in mbt_add_admin_notices().
Exposure populationThis is a small-footprint plugin. WordPress.org shows 1,000+ active installations and WPScan reports 2,000. Also, internet-scale scanners cannot reliably fingerprint this plugin/version from the edge, so perimeter counts understate or miss true install base.
Disclosure / creditPublished 2025-01-07 in the CVE/NVD flow; Patchstack shows disclosure on 2025-01-06 and credits Dhabaleshwar Das.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The single biggest severity reducer is that this flaw requires a logged-in privileged WordPress administrator to be successfully lured into clicking or visiting attacker-controlled content. That makes it a post-social-engineering, narrow-population integrity issue, not a broad initial-access or fleet-wide compromise driver.

HIGH Affected/fixed version range
HIGH Root cause as a nonce-validation CSRF issue
MEDIUM Real-world exploitation likelihood
MEDIUM Exact operational impact of the forged action

Why this verdict

  • Admin session required: despite PR:N in CVSS, the exploit only lands if a privileged authenticated WordPress user performs the request, which is strong real-world friction.
  • User interaction is mandatory: the chain needs a successful lure. That is a separate stage modern controls like SEG, browser isolation, and user awareness can disrupt.
  • Blast radius is narrow: public descriptions point to adding plugin pages, not code execution, credential theft, database readout, or full site takeover.
  • Small reachable population: this is a niche WordPress plugin with a modest install base, not a ubiquitous enterprise platform.
  • No exploitation pressure: no KEV listing, no public active-campaign reporting, and an EPSS of 0.0009 all push urgency down.

Why not higher?

This is not an unauthenticated one-shot compromise. The attacker must first find a site with this plugin, then reach an authenticated administrator, then win user interaction, and even then the public record only supports limited page-creation impact. That is too much chain friction for MEDIUM/HIGH operational urgency in an enterprise patch queue.

Why not lower?

It still performs an unauthorized state-changing action in administrator context, so dismissing it entirely would be sloppy. In environments that host public author sites or where admins browse mail and the web from the same browser session, CSRF can still produce real changes and deserves cleanup during routine maintenance.

05 · Compensating Control

What to do — in priority order.

  1. Separate admin browsing from email/web surfing — Keep WordPress admin work in a dedicated browser profile or isolated admin workstation so opportunistic CSRF lures have fewer chances to inherit an authenticated session. For a LOW verdict there is no SLA; treat this as backlog hygiene and implement during the next normal hardening cycle.
  2. Restrict /wp-admin/ exposure — Put WordPress admin behind VPN, reverse-proxy ACLs, IP allowlists, or identity-aware access where feasible. This does not fix CSRF directly, but it reduces the number of admins who can be targeted from random internet browsing contexts. For a LOW verdict there is no SLA; align this with standard admin-surface reduction work.
  3. Enable WordPress admin activity logging — Capture page creation, plugin configuration changes, and admin actions so forged requests leave an audit trail. This helps you spot abuse that perimeter scanners miss. For a LOW verdict there is no SLA; add it as routine CMS control improvement.
  4. Inventory and update the plugin — Use WP-CLI, filesystem inventory, or CMS management tooling to find mybooktable and move any remaining installs to 3.5.4+. For a LOW verdict there is no SLA; bundle it into the next scheduled WordPress/plugin maintenance window.
What doesn't work
  • MFA alone doesn't stop CSRF once the admin is already logged in; the forged request rides the existing session.
  • Network IDS signatures are weak here because the malicious request can look like ordinary authenticated admin traffic.
  • Generic WAF rules often miss feature-specific CSRF unless they understand the exact plugin endpoint and can enforce nonce or origin expectations.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or inside the container/VM that serves the site. Invoke it as bash check-cve-2025-22301.sh /var/www/html where the argument is the WordPress root; it needs only read access to the plugin files, though wp-cli detection works best if the web user can read the install.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2025-22301.sh
# Determine whether WordPress plugin mybooktable is vulnerable to CVE-2025-22301
# Affected: <= 3.5.3
# Fixed:    >= 3.5.4
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET="${1:-}"
PLUGIN_SLUG="mybooktable"
FIXED_VERSION="3.5.4"

if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/wordpress/root"
  exit 2
fi

if [[ ! -d "$TARGET" ]]; then
  echo "UNKNOWN - target path does not exist: $TARGET"
  exit 2
fi

PLUGIN_DIR="$TARGET/wp-content/plugins/$PLUGIN_SLUG"
MAIN_FILE="$PLUGIN_DIR/mybooktable.php"
README_FILE="$PLUGIN_DIR/readme.txt"
VERSION=""

verlte() {
  # returns 0 if $1 <= $2
  [[ "$1" == "$2" ]] && return 0
  local first
  first=$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)
  [[ "$first" == "$1" ]]
}

# Prefer WP-CLI when available
if command -v wp >/dev/null 2>&1; then
  if wp --path="$TARGET" plugin is-installed "$PLUGIN_SLUG" >/dev/null 2>&1; then
    VERSION=$(wp --path="$TARGET" plugin get "$PLUGIN_SLUG" --field=version 2>/dev/null || true)
  fi
fi

# Fallback: parse main plugin header
if [[ -z "$VERSION" && -f "$MAIN_FILE" ]]; then
  VERSION=$(grep -iE '^\s*Version:\s*' "$MAIN_FILE" | head -n1 | sed -E 's/^\s*Version:\s*//I' | tr -d '\r' | xargs)
fi

# Fallback: parse readme stable tag
if [[ -z "$VERSION" && -f "$README_FILE" ]]; then
  VERSION=$(grep -iE '^\s*Stable tag:\s*' "$README_FILE" | head -n1 | sed -E 's/^\s*Stable tag:\s*//I' | tr -d '\r' | xargs)
fi

if [[ ! -d "$PLUGIN_DIR" ]]; then
  echo "UNKNOWN - plugin '$PLUGIN_SLUG' not installed under $TARGET"
  exit 2
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - plugin installed but version could not be determined"
  exit 2
fi

if verlte "$VERSION" "3.5.3"; then
  echo "VULNERABLE - mybooktable version $VERSION is <= 3.5.3"
  exit 1
fi

if verlte "$FIXED_VERSION" "$VERSION"; then
  echo "PATCHED - mybooktable version $VERSION is >= 3.5.4"
  exit 0
fi

# Defensive catch-all for odd version formats
echo "UNKNOWN - unhandled version string: $VERSION"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, inventory where mybooktable actually exists first; most enterprises will find this is a tiny slice of the fleet or none at all. Because this is LOW, there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so don't preempt your urgent patch queue for it: document exposure, separate WordPress admin browsing from general web/email use where possible, and roll 3.5.4+ during the next normal WordPress/plugin maintenance window rather than treating this like an emergency.

Sources

  1. NVD CVE-2025-22301
  2. Patchstack advisory for MyBookTable <= 3.5.3 CSRF
  3. Wordfence record with vulnerable function details
  4. WPScan plugin vulnerability page
  5. WordPress.org MyBookTable plugin page
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS overview
  8. FIRST API documentation for EPSS queries
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.