Overview
CVE-2025-13135 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the HotelRunner Booking Widget plugin for WordPress. This vulnerability resides within the plugin’s ‘hotelrunner’ shortcode and impacts all versions up to and including 5.2.4. Due to insufficient input sanitization and output escaping, authenticated attackers with contributor-level access or higher can inject malicious web scripts into WordPress pages. When other users visit these compromised pages, the injected scripts execute, potentially leading to account compromise, data theft, or website defacement.
Technical Details
The vulnerability stems from the plugin’s failure to properly sanitize and escape user-supplied attributes within the ‘hotelrunner’ shortcode. Specifically, an attacker can craft a malicious ‘hotelrunner’ shortcode containing JavaScript code within one or more of the attributes. Because WordPress allows contributors to edit page content, an attacker with this permission can inject this malicious shortcode into a page or post.
For example, a malicious shortcode could look like this:
[hotelrunner some_attribute="<script>alert('XSS!')</script>"]When this page is viewed by another user, the injected JavaScript code will execute in their browser, within the context of the WordPress website. This allows the attacker to perform actions on behalf of the victim user.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13135 a score of 6.4 (Medium). This score reflects the vulnerability’s moderate severity and exploitability. While it requires authentication, the low privileges needed (contributor) and the potential for significant impact on other users make it a noteworthy security concern.
Possible Impact
The exploitation of this Stored XSS vulnerability can lead to several critical consequences:
- Account Takeover: An attacker can steal the cookies of an administrator, enabling them to assume control of the entire WordPress website.
- Data Theft: Sensitive data, such as customer information or proprietary business data, can be exfiltrated from the compromised website.
- Website Defacement: Attackers can modify the appearance and content of the website, damaging the organization’s reputation and credibility.
- Malware Distribution: The compromised website can be used to distribute malware to visitors, further expanding the scope of the attack.
Mitigation or Patch Steps
The most effective mitigation is to update the HotelRunner Booking Widget plugin to the latest version. If an update is not immediately available, consider temporarily disabling the plugin until a patched version is released.
Here are the recommended steps:
- Update the Plugin: Navigate to the “Plugins” section in your WordPress dashboard and update the HotelRunner Booking Widget plugin to the latest available version.
- Review User Roles: Limit contributor access to only those users who absolutely require it.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) to detect and block XSS attacks. Many WAF solutions offer pre-configured rules to protect against common XSS vulnerabilities.
- Monitor Logs: Regularly monitor your WordPress website’s logs for suspicious activity, such as unusual POST requests or unexpected JavaScript execution.
