The vulnerability identified as CVE-2025-12135 affects the WPBookit plugin for WordPress, developed by iqonicdesign. It is a stored cross-site scripting (XSS) vulnerability categorized under CWE-79, caused by improper neutralization of input during web page generation. Specifically, the issue lies in the save_custome_code() function, which lacks a capability check when processing the 'css_code' parameter. This omission allows unauthenticated attackers to inject arbitrary JavaScript code that is persistently stored and executed in the context of any user visiting the affected page. The vulnerability affects all versions up to and including 1.0.6. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network without any privileges or user interaction, and the scope is changed, meaning the impact extends beyond the vulnerable component. The confidentiality and integrity of user data can be compromised, although availability is not impacted. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability's characteristics make it a high-risk issue for WordPress sites using this plugin.

The impact of CVE-2025-12135 is significant for organizations running WordPress sites with the WPBookit plugin. Since the vulnerability allows unauthenticated attackers to inject persistent malicious scripts, it can lead to session hijacking, theft of sensitive user information such as cookies or credentials, unauthorized actions performed on behalf of users, and website defacement. This undermines user trust and can result in reputational damage, regulatory penalties, and financial losses. The scope change means that the attacker can affect users beyond the immediate plugin context, potentially compromising other parts of the website or integrated systems. Given WordPress's extensive global usage, the vulnerability could be exploited at scale, especially on sites that do not implement additional security controls such as web application firewalls or content security policies. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks once exploit code becomes publicly available.

To mitigate CVE-2025-12135, organizations should immediately update the WPBookit plugin to a patched version once available from the vendor. In the absence of an official patch, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the 'css_code' parameter can provide temporary protection. Additionally, applying strict Content Security Policies (CSP) can help prevent execution of injected scripts. Site administrators should audit and sanitize any custom CSS or code inputs stored by the plugin to remove potentially malicious content. Monitoring web server logs and user activity for signs of exploitation attempts is also recommended. Finally, educating users about the risks of XSS and encouraging the use of multi-factor authentication can reduce the impact of potential session hijacking.