CVE-2025-47489

Vulnerability

Overview The Beds24 Online Booking plugin for WordPress, versions up to and including 2.0.29, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected page.

Exploitation

Conditions Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link or submitting a crafted form [1]. The attacker does not need direct access to the site but must convince a privileged user to interact with the payload. Once triggered, the injected script is stored and will execute for any visitor viewing the compromised page.

Impact

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the website [1]. These scripts execute in the context of the victim's browser, potentially leading to session hijacking, defacement, or further compromise of the site and its users.

Mitigation

The vulnerability has been addressed in version 2.0.30 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins via Patchstack or consulting a hosting provider is recommended [1].