CVE-2025-12804 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Booking Calendar plugin for WordPress developed by wpdevelop. This vulnerability affects all versions up to and including 10.14.6. The root cause is insufficient sanitization and escaping of user-supplied input passed via the plugin’s shortcode attributes. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Since the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the infected page and does not require elevated privileges beyond contributor access. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits are known at this time, but the vulnerability is published and should be addressed promptly. The lack of a patch link suggests that a fix may not yet be available or is pending release.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the Booking Calendar plugin. This can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the injected scripts execute in the context of the victim’s browser, sensitive information such as cookies or authentication tokens could be stolen, leading to further compromise. Organizations relying on this plugin for booking or scheduling services risk reputational damage, data breaches, and loss of user trust. The scope includes any WordPress site with the vulnerable plugin installed and contributor or higher user roles enabled, which is common in multi-author or community-driven sites. Although no known exploits exist currently, the medium CVSS score and ease of exploitation by authenticated users make this a significant risk, especially for sites with many contributors or less stringent user management policies.

Organizations should immediately audit their WordPress installations for the presence of the Booking Calendar plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or removing the plugin if contributor roles are widely assigned. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the plugin’s shortcode parameters can provide interim protection. Site owners should also enable Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of injected scripts. Regularly monitoring site content for unauthorized changes and scanning for XSS payloads is recommended. Once a patch becomes available, it should be applied immediately. Additionally, educating contributors about safe input practices and monitoring user activity can help reduce risk.