CVE-2025-58213

A stored cross-site scripting (XSS) vulnerability exists in the WordPress Booking System Trafft plugin versions 1.0.14 and earlier. The plugin fails to properly neutralize user-controllable input during web page generation, enabling an attacker to inject arbitrary HTML or JavaScript into the application's output [1].

The vulnerability can be exploited by a user with at least the contributor role, who can craft a malicious input that the plugin stores and later renders in the context of admin or visitor pages. No special privileges beyond standard contributor access are required to inject the payload, but successful execution depends on a privileged user (e.g., an administrator) interacting with the malicious content [1].

An attacker leveraging this flaw could inject scripts that perform actions such as redirecting visitors to malicious sites, displaying deceptive advertisements, or stealing session cookies. This could compromise the integrity of the site and affect all visitors who view the infected page [1].

The vendor has released version 1.0.15 which resolves the issue. Users are strongly advised to update immediately. For managed WordPress sites, auto-update can be enabled for vulnerable plugins via Patchstack [1].