Cybersecurity Vulnerabilities

Beware! Stored XSS Vulnerability Plagues Booking Calendar WordPress Plugin (CVE-2025-12804)

December 5, 2025 - By 

Overview

A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12804, has been discovered in the Booking Calendar plugin for WordPress. This vulnerability affects all versions up to and including 10.14.6. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages using the ‘bookingcalendar’ shortcode. This injected code can then execute whenever a user visits the affected page, potentially leading to account compromise or other malicious activities.

Technical Details

The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the ‘bookingcalendar’ shortcode. Specifically, attackers can inject malicious JavaScript code within attributes of the shortcode. Since the plugin fails to properly sanitize or escape this input, the code is stored in the WordPress database and executed when the page containing the shortcode is rendered.

An example of a vulnerable shortcode might look like this:

[bookingcalendar attribute="<script>alert('XSS')</script>"]

When a user views the page containing this shortcode, the JavaScript code will execute in their browser.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12804 is 6.4, indicating a MEDIUM severity vulnerability.

  • CVSS Score: 6.4
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Example, adjust according to actual CVSS calculation)

This score reflects the fact that the vulnerability requires authentication (contributor access or higher) and user interaction (a user must visit the page containing the injected script) to be exploited.

Possible Impact

Successful exploitation of this vulnerability can have several negative consequences, including:

  • Account Compromise: An attacker could steal user session cookies or credentials, allowing them to gain unauthorized access to user accounts.
  • Website Defacement: The attacker could modify the content of the affected pages, defacing the website.
  • Malware Distribution: The attacker could inject malicious code that redirects users to phishing sites or downloads malware onto their devices.
  • Administrative Access: If an administrator views the page, the attacker may be able to gain full administrative access to the WordPress site.

Mitigation and Patch Steps

To protect your website from CVE-2025-12804, it is crucial to update the Booking Calendar plugin to the latest version as soon as possible. The vulnerability has been patched in versions released after 10.14.6.

  1. Update the Plugin: Navigate to the “Plugins” section in your WordPress dashboard and update the Booking Calendar plugin to the latest version.
  2. Review User Roles: Limit contributor-level access to trusted users only. Consider implementing a least-privilege approach to user roles.
  3. Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) to filter out malicious requests and potentially block XSS attempts.
  4. Monitor Activity: Regularly monitor your website’s activity logs for suspicious behavior.

References

WordPress Plugin Trac Changeset: 3391614
Wordfence Threat Intelligence Report

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *