CVE-2025-12135 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WPBookit plugin for WordPress, developed by iqonicdesign. This vulnerability affects all versions up to and including 1.0.6. The root cause is a missing capability check in the save_custome_code() function, which processes the 'css_code' parameter. Because of this, unauthenticated attackers can inject arbitrary JavaScript code that is stored persistently on the server and executed in the context of any user who visits the affected page. This stored XSS flaw allows attackers to perform actions such as session hijacking, defacement, phishing, or delivering malware. The vulnerability is exploitable remotely over the network without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.2, reflecting high severity due to the ease of exploitation and the potential for confidentiality and integrity impacts, although availability is not affected. No public exploits have been reported yet, but the vulnerability’s characteristics make it a prime candidate for exploitation once weaponized. The vulnerability affects websites using WPBookit, a booking plugin commonly used in service industries. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations. The vulnerability’s scope is broad since it affects all plugin versions, and the stored nature of the XSS means that any user visiting the compromised page is at risk. The CWE classification is CWE-79, indicating improper neutralization of input during web page generation.

For European organizations, this vulnerability poses a significant risk, especially for those operating customer-facing websites that utilize the WPBookit plugin for booking or appointment management. Exploitation could lead to unauthorized access to user sessions, theft of sensitive customer data, defacement of websites, or distribution of malicious payloads to visitors. This can damage brand reputation, result in regulatory non-compliance (e.g., GDPR violations due to data breaches), and cause financial losses. The stored XSS nature means that all users accessing the infected pages are vulnerable, potentially amplifying the impact. Organizations in sectors such as tourism, hospitality, healthcare, and professional services—where booking systems are critical—are particularly vulnerable. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if administrative users are targeted. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation. Given the interconnected nature of European digital infrastructure, a successful attack could have cascading effects on trust and service availability.

1. Immediately audit and disable the WPBookit plugin on all WordPress sites until a security patch is released. 2. If disabling is not feasible, restrict access to the plugin’s administrative functions to trusted, authenticated users only, using strong access controls and IP whitelisting where possible. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'css_code' parameter, focusing on script injection patterns. 4. Monitor web server logs and application logs for unusual POST requests or parameter values related to 'css_code'. 5. Educate site administrators about the risk and encourage prompt updates once a patch is available. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 7. Regularly back up website data and configurations to enable quick restoration if compromise occurs. 8. Conduct security scans and penetration tests focusing on XSS vulnerabilities in all plugins and custom code. 9. Consider alternative booking plugins with a strong security track record until WPBookit is patched. 10. Stay informed through vendor advisories and security communities for updates on patches or exploit developments.