CVE-2025-46458 HIGH

CVE-2025-46458: WordPress occupancyplan plugin <= 1.0.3.0 - CSRF to SQL Injection vulnerability

Vendor X000X
Product occupancyplan
Weakness CWE-352 · CSRF
Published May 23, 2025
Last update May 12, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan occupancyplan allows SQL Injection.This issue affects occupancyplan: from n/a through <= 1.0.3.0.

Explanation of Vulnerability in Simple Terms

02Summary

OccupancyPlan versions 1.0.3.0 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in user, performs unwanted actions on the user's behalf. The attack requires the victim to visit the attacker's page while authenticated. This can result in unauthorized changes and potential service disruption.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions on behalf of a logged-in user, such as modifying settings or data.

Potential impact on your site

04Site Impact

Users' accounts can be manipulated to make unauthorized changes without their knowledge or consent.

Conditions required to exploit

05Prerequisites

Victim must be logged in and visit an attacker-controlled webpage.

Key dates

06Disclosure timeline

May 23, 2025 CVE published
May 12, 2026 Record updated