CVE-2025-64275

The Booking Manager plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw affects versions up to and including 2.1.17 [1]. The vulnerability is classified as Medium severity with a CVSS v3 score of 6.5 [1].

An attacker with the required privileged role can inject malicious scripts into the plugin's input fields. When the page is loaded or viewed, these scripts execute in the context of a visitor's browser [1]. User interaction is required for exploitation, meaning a privileged user must perform an action such as clicking a crafted link or visiting a specially prepared page [1].

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, enabling actions such as redirecting visitors to malicious websites, displaying unauthorized advertisements, or stealing sensitive information [1]. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

The issue has been addressed in version 2.1.18 of the plugin. Users are strongly advised to update immediately or enable auto-updates if supported [1]. As a temporary workaround, if updating is not possible, contacting a hosting provider or web developer for assistance is recommended [1].