CVE-2025-12135 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WPBookit plugin for WordPress, developed by iqonicdesign. This vulnerability affects all versions up to and including 1.0.6. The root cause is a missing capability check in the save_custome_code() function, which processes the 'css_code' parameter. Because of this omission, unauthenticated attackers can inject arbitrary JavaScript code that is stored persistently and executed whenever any user visits the compromised page. The attack vector is network accessible without requiring authentication or user interaction, making exploitation straightforward. The vulnerability impacts confidentiality and integrity by enabling script execution in the context of the victim's browser, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the user. The CVSS v3.1 base score is 7.2, reflecting high severity due to the ease of exploitation and the scope of affected systems. No patches or exploit code are currently publicly available, but the vulnerability's presence in a popular WordPress plugin used for booking and scheduling services increases its attractiveness to attackers. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common and dangerous web security flaw.

For European organizations, the impact of CVE-2025-12135 can be significant, especially for those relying on WordPress-based websites with the WPBookit plugin installed. The stored XSS vulnerability allows attackers to execute malicious scripts in the browsers of site visitors, which can lead to theft of sensitive information such as cookies, credentials, or personal data, violating GDPR requirements. It can also facilitate phishing attacks, unauthorized actions on behalf of users, and defacement or manipulation of website content, damaging brand reputation and customer trust. Organizations in sectors like tourism, hospitality, and event management, which commonly use booking plugins, are particularly at risk. The vulnerability's ability to be exploited without authentication or user interaction increases the likelihood of automated attacks and broad exploitation campaigns. Additionally, the cross-site scripting flaw may be leveraged as a pivot point for further attacks within the victim's network or to distribute malware. Failure to address this vulnerability could result in regulatory penalties, financial losses, and operational disruptions.

European organizations should immediately audit their WordPress installations to identify the presence of the WPBookit plugin and its version. If the plugin is installed and unpatched, organizations should remove or disable it until a vendor patch is released. In the absence of an official patch, applying virtual patching via Web Application Firewalls (WAFs) that detect and block malicious payloads targeting the 'css_code' parameter can reduce risk. Implement strict input validation and sanitization on all user-supplied inputs, especially those that influence page content. Deploy Content Security Policies (CSP) to restrict the execution of unauthorized scripts. Regularly monitor web server logs and security alerts for suspicious activity related to this vulnerability. Educate web administrators about the risks of installing unverified plugins and the importance of timely updates. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential exploitation.