CVE-2025-25173

Vulnerability

Description

The FastBook responsive appointment booking and scheduling system plugin for WordPress versions up to and including 1.1 contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an authenticated attacker with the required privileges to inject arbitrary HTML and JavaScript code that will be stored on the server and executed in the browsers of site visitors [1].

Exploitation

Requirements

Exploitation requires user interaction from a privileged role, such as clicking a malicious link or submitting a crafted form [1]. Once the payload is stored, it executes automatically when any guest visits the affected page, making it suitable for mass-exploit campaigns targeting thousands of sites regardless of size or popularity [1].

Impact

Successful exploitation enables a malicious actor to inject malicious scripts, redirects, advertisements, and other HTML payloads into the website [1]. This can lead to defacement, phishing, or further compromise of visitors' sessions and data. The CVSS v3.1 base score is 7.1, reflecting high impact on confidentiality, integrity, and availability with low attack complexity.

Mitigation

Immediate action is advised: update the FastBook plugin to a patched version or apply a mitigation rule provided by vulnerability management services like Patchstack [1]. An official patch may be available; users unable to update should consult their hosting provider or web developer for assistance [1].