CVE-2025-7022

The My Reservation System WordPress plugin through version 2.3 fails to sanitize and escape a parameter before reflecting it back in a page. This flaw is a classic reflected Cross-Site Scripting (XSS) vulnerability where an attacker can inject arbitrary JavaScript via a crafted URL parameter [1].

Exploitation requires no authentication; the attacker simply sends a malicious link to a logged-in administrator or other high-privilege user. If that user clicks the link, the injected script executes within the context of the WordPress admin session, bypassing same-origin restrictions [1].

The impact is severe for a reflected XSS: an attacker can steal session cookies, perform administrative actions (e.g., creating new admin users, modifying site content), or exfiltrate sensitive data. Since the vulnerability targets high-privilege users, lateral movement within the WordPress installation is possible [1].

As of the advisory publication date, no patch or official fix is available; the plugin appears to be unmaintained. Users should remove the plugin or employ Web Application Firewall (WAF) rules to block suspicious query strings. The vulnerability was publicly disclosed on July 4, 2025 [1].