CVE-2025-58661

Vulnerability

Overview CVE-2025-58661 is a stored cross-site scripting (XSS) vulnerability in the eZee Online Hotel Booking Engine plugin for WordPress, affecting all versions up to and including 1.0.0. The issue arises from improper neutralization of user input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of site visitors [1].

Exploitation

Requirements Exploitation requires an authenticated user with certain privileges; the specific role is not disclosed but the vulnerability is triggered via the plugin's admin interface. Successful execution depends on a privileged user performing an action such as clicking a malicious link or submitting crafted input. Once injected, the malicious payload is stored and delivered to all subsequent visitors without further interaction [1].

Impact

An attacker can inject scripts that perform arbitrary actions in the context of the victim's browser, including redirecting users to malicious sites, displaying unwanted advertisements, or stealing sensitive information. This can lead to defacement, phishing attacks, or further compromise of the affected site and its users [1].

Mitigation

As of the publication date, no patch is available for versions ≤1.0.0. The vendor is urged to release an update. In the meantime, users should consider disabling the plugin or applying a web application firewall rule to mitigate XSS attacks. Given the potential for mass exploitation, immediate action is recommended [1].