CVE-2025-54729

Vulnerability

Overview

The Webba Booking plugin for WordPress versions up to 6.0.5 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows attackers to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors [1].

Exploitation

Details

Exploitation requires a privileged user, such as a contributor, to perform an action like clicking a malicious link or submitting a crafted form. Once triggered, the injected script persists and executes whenever other users access the affected page. The vulnerability is classified as medium severity (CVSS 5.9) and has been observed in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, redirects, advertisements, or other HTML payloads into the website. This can lead to defacement, phishing, or further compromise of site visitors' browsers. The impact is limited to the context of the vulnerable plugin and requires user interaction for initial injection [1].

Mitigation

The vulnerability is fixed in version 6.0.6. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consult your hosting provider or web developer for assistance [1].