CVE-2025-53330

Vulnerability

The WP Rentals theme for WordPress, versions 3.16.1 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows users with certain privileges (e.g., subscribers or higher, depending on the role that can submit or modify rental listings) to inject arbitrary HTML and JavaScript code into the application [1].

Exploitation

Exploitation requires a privileged user action, such as submitting a crafted rental listing or profile field that is not properly sanitized. The injected payload is stored on the server and executed in the browsers of other users, including administrators and visitors, when they view the affected page. No direct external user interaction is needed beyond the initial submission by the authenticated attacker [1].

Impact

An attacker can inject malicious scripts to perform actions such as redirecting visitors to phishing sites, displaying unwanted advertisements, stealing session cookies, or defacing the website. The vulnerability has a CVSSv3 base score of 6.5 (Medium), and while it may be used in mass-exploit campaigns, the vendor considers it low severity and unlikely to be widely exploited [1].

Mitigation

The issue has been addressed in version 3.16.2 of the theme. Users are strongly advised to update WP Rentals to 3.16.2 or later. If immediate update is not possible, contacting a hosting provider or web developer for assistance is recommended [1].