CVE-2025-12804 is a stored Cross-Site Scripting vulnerability identified in the Booking Calendar plugin for WordPress, developed by wpdevelop. The vulnerability exists in all versions up to and including 10.14.6 due to improper neutralization of user-supplied input within the plugin's shortcode implementation. Specifically, the plugin fails to adequately sanitize and escape attributes provided by authenticated users with contributor-level permissions or higher. This flaw allows these users to inject arbitrary JavaScript code that is stored persistently and executed in the context of any user who views the affected page. The vulnerability leverages CWE-79, which relates to improper input validation during web page generation. The CVSS v3.1 base score is 6.4, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. The impact includes limited confidentiality and integrity loss, such as session token theft, unauthorized actions on behalf of users, or defacement. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors. The vulnerability was published on December 5, 2025, and no official patch links are currently available. The plugin's widespread use in managing booking and scheduling on WordPress sites makes this a notable threat vector.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress sites, potentially compromising user sessions, stealing sensitive data, or enabling further attacks such as privilege escalation or phishing. Organizations relying on the Booking Calendar plugin for customer-facing booking services may face reputational damage, service disruption, or data breaches. Since the exploit requires contributor-level access, insider threats or compromised contributor accounts could be leveraged to exploit this vulnerability. The scope of impact includes any user visiting the infected pages, which may include customers, employees, or administrators. Given the widespread use of WordPress in Europe and the popularity of booking plugins for SMEs and service providers, the risk is significant. The vulnerability could also be used as a foothold for more advanced attacks within the network if combined with other vulnerabilities or social engineering. The medium severity rating reflects the balance between required privileges and the potential impact on confidentiality and integrity.

1. Monitor for and apply updates from wpdevelop promptly once a patch addressing CVE-2025-12804 is released. 2. Until a patch is available, restrict contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. 3. Implement strict input validation and output encoding at the application or web server level, potentially using custom filters or security plugins that sanitize shortcode inputs. 4. Deploy a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting WordPress shortcodes. 5. Conduct regular security audits and scanning of WordPress plugins to detect injection points. 6. Educate contributors about the risks of injecting untrusted content and enforce secure content management policies. 7. Consider disabling the Booking Calendar plugin temporarily if it is not critical or if risk tolerance is low. 8. Monitor logs for unusual activity related to shortcode usage or script injections. 9. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 10. Backup WordPress sites regularly to enable quick restoration if compromise occurs.