CVE-2025-49904
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Reflected XSS.This issue affects Booking and Rental Manager: from n/a through <= 2.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Booking and Rental Manager plugin for WooCommerce ≤2.5.3 allows attackers to inject scripts via crafted links, risking site compromise.
Vulnerability
Overview A reflected cross-site scripting (XSS) vulnerability exists in the Booking and Rental Manager plugin for WooCommerce, versions up to and including 2.5.3 [1]. The issue stems from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript.
Exploitation
An attacker can craft a malicious link containing the payload. Successful exploitation requires a privileged user (e.g., administrator) to click the link or visit a crafted page [1]. User interaction is necessary for the attack to succeed.
Impact
If exploited, the attacker can execute malicious scripts in the context of the victim's browser. This could lead to session hijacking, redirection to malicious sites, defacement, or other malicious activities [1].
Mitigation
The vulnerability is patched in version 2.5.4 [1]. Users are strongly advised to update immediately. Patchstack also offers a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.