CVE-2025-64221

Vulnerability

Overview

The Reservation Plugin (dt-reservation-plugin) for WordPress contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw affects all versions up to and including 1.6, and is classified as High severity with a CVSS v3 score of 7.1.

Exploitation

Details

Exploitation requires user interaction, such as clicking a specially crafted link or visiting a malicious page [1]. An attacker can inject arbitrary HTML and JavaScript payloads into the response, which are then executed in the context of the victim's browser session. No authentication is needed to trigger the vulnerability, but a privileged user must perform the action for successful exploitation.

Impact

Successful exploitation allows an attacker to execute malicious scripts, potentially leading to redirects, advertisements, or other HTML payloads being displayed to site visitors [1]. This could be used for phishing, defacement, or further compromise of the WordPress installation.

Mitigation

The vendor has released version 1.7 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the patch is applied [1].