CVE-2025-64381

Vulnerability

Overview A stored cross-site scripting (XSS) vulnerability exists in the Booking Calendar WordPress plugin (versions n/a through 10.14.7). Improper neutralization of user-supplied input during web page generation allows an attacker with author-level privileges to inject arbitrary JavaScript or HTML payloads into the application's output. The injected code is persistently stored on the server and executed in the browsers of users visiting affected pages [1].

Exploitation

Details To exploit this vulnerability, an authenticated user with at least the Author role must be able to submit or edit booking-related content. The attack does not require direct user interaction from the victim; instead, the malicious payload is stored and later served to site visitors. Successful exploitation relies on a privileged user performing an action such as clicking a crafted link or submitting a form that contains the XSS payload [1].

Impact

If exploited, an attacker can inject malicious scripts that lead to redirects, display of advertisements, theft of session cookies, or defacement of the website. This type of attack is known to be used in mass-exploit campaigns targeting thousands of WordPress sites [1]. The CVSS v3 score of 6.5 reflects a medium severity, though the impact on confidentiality, integrity, and availability can be significant depending on the injected payload.

Mitigation

The vendor has addressed this vulnerability in version 10.14.8. Users are strongly advised to update the Booking Calendar plugin immediately. If an immediate update is not possible, consider implementing a Web Application Firewall (WAF) or disabling the plugin until the update can be applied. The Patchstack database notes that auto-update can be enabled for vulnerable plugins [1].