CVE-2025-58887

The Course Booking Platform plugin for WordPress, versions up to and including 1.0.0, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw enables an attacker with contributor-level privileges to inject arbitrary JavaScript or HTML into plugin pages, which is then stored and executed when other users—including site visitors—access the affected content. The vulnerability is actively being exploited in mass campaigns targeting thousands of websites [1].

Exploitation requires a privileged user (e.g., a contributor) to perform an action such as clicking a malicious link or submitting a crafted form. Once the injected script is stored, it executes automatically in the browsers of any user visiting the compromised page, without requiring further interaction from the victim. The attack surface is the plugin's input fields within the WordPress admin area, making it accessible to any authenticated user with the contributor role or higher [1].

The impact of successful exploitation includes the ability to inject malicious scripts that can redirect visitors to phishing sites, display unwanted advertisements, or deface the website. In more severe cases, the injected code could steal session cookies or perform actions on behalf of the victim, potentially leading to further compromise of the WordPress installation [1].

As a mitigation, users are strongly advised to update the Course Booking Platform plugin to the latest available version immediately. If an update is not possible, site administrators should consider disabling the plugin or implementing a web application firewall to block malicious input. The vulnerability is documented on Patchstack, and given its use in mass-exploit campaigns, prompt action is critical [1].