CVE-2025-52787

Vulnerability

Overview

An Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in the WordPress Tennis Court Bookings plugin, versions up to and including 1.2.7. This is a reflected XSS flaw, meaning the attacker's payload is reflected off a web application immediately, without being stored persistently [1]. The root cause is insufficient sanitization of user-supplied input before it is included in a web page response.

Exploitation

Requirements

Exploitation does not require authentication, as reflected XSS can be triggered by any visitor. However, successful execution requires user interaction—a victim must click on a malicious link or visit a crafted page that submits the crafted input to the vulnerable plugin [1]. This interaction could be initiated by a privileged user, but the vulnerability itself can be triggered by unauthenticated actors.

Impact

An attacker can inject arbitrary HTML and JavaScript into the victim's browser session. This could lead to redirects to malicious sites, injection of unwanted advertisements, theft of session cookies, or defacement of the website [1]. The plugin's moderate severity (CVSS 7.1) and inclusion in mass-exploit campaigns heighten the risk for site owners.

Mitigation

The plugin author has not released a patch as of the disclosure date. Site administrators should immediately update the plugin to the latest version once available, or remove it if it reaches end-of-life. Patchstack has released a virtual mitigation rule that blocks attacks until an official fix is applied [1]. As the vulnerability is expected to be actively exploited, prompt action is recommended.