CVE-2025-63011

Vulnerability

Overview

The WP Hotel Booking plugin for WordPress (versions through 2.2.8) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-controllable input during web page generation [1]. This occurs when the plugin processes data that is then written into the Document Object Model (DOM) of the page without proper sanitization, allowing JavaScript execution in the victim's browser.

Exploitation

Conditions

Exploitation requires user interaction; a privileged user (such as an administrator) must perform an action like clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. The attack does not require authentication beyond the targeted user's session, and the injected payload executes within the context of the affected WordPress admin or front-end page.

Impact

A successful attack allows an attacker to inject arbitrary HTML and JavaScript, which can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions on behalf of the logged-in user [1]. This can lead to defacement, data theft, or further compromise of the WordPress installation.

Mitigation

The vendor has released version 2.2.9 to address the issue [1]. Users are strongly advised to update immediately. For sites that cannot update immediately, enabling auto-updates for vulnerable plugins is recommended as a workaround [1].