CVE-2025-68852

The Court Reservation plugin for WordPress (versions up to and including 1.10.13) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw can be exploited by an attacker who crafts a malicious link or request that, when interacted with by a privileged user, executes arbitrary JavaScript in the context of the victim's browser.

Exploitation requires user interaction—typically a privileged user, such as an administrator, clicking a specially crafted link or visiting a malicious page. The attacker does not need authentication but relies on social engineering to trick the target into performing the action [1].

Successful exploitation allows the attacker to inject malicious scripts, which can perform actions like redirecting visitors to attacker-controlled sites, displaying advertisements, or stealing session cookies. Given the plugin's widespread use, this vulnerability is expected to be targeted in mass-exploit campaigns [1].

As a mitigation, users should update the plugin to a patched version immediately. If unable to update, they should contact their hosting provider or web developer for assistance. Patchstack has also issued a virtual mitigation rule to block attacks until an official patch can be applied [1].