CVE-2025-13135 identifies a stored Cross-Site Scripting vulnerability in the HotelRunner Booking Widget plugin for WordPress, versions up to and including 5.2.4. The vulnerability stems from insufficient sanitization and escaping of user input in the plugin's 'hotelrunner' shortcode attributes. Specifically, authenticated users with contributor-level permissions or higher can insert arbitrary JavaScript code into pages via these shortcode attributes. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or manipulate page content. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and scope changed. The impact affects confidentiality and integrity but not availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects all versions of the plugin up to 5.2.4, which is widely used by hotels and travel businesses integrating booking functionalities into WordPress sites.

The vulnerability allows authenticated users with contributor-level access or higher to inject persistent malicious scripts into web pages via the HotelRunner Booking Widget shortcode. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of other users, and defacement or manipulation of website content. For organizations relying on this plugin, especially those in the hospitality and travel sectors, this could result in compromised user accounts, loss of customer trust, and potential data breaches. Since the attack requires authenticated access, the risk is somewhat mitigated but still significant in environments where contributor-level accounts are common or where attackers can compromise such accounts. The scope change in CVSS indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site. Although no availability impact is noted, the confidentiality and integrity breaches can have serious operational and reputational consequences.

Organizations should immediately review user roles and restrict contributor-level access to trusted personnel only. Implement strict input validation and output encoding for all user-supplied data, especially in shortcode attributes. Until an official patch is released, consider disabling or removing the HotelRunner Booking Widget plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting the 'hotelrunner' shortcode. Regularly audit WordPress user accounts for suspicious activity and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of account compromise. Monitor website content for unauthorized changes and conduct security scans to detect injected scripts. Stay updated with vendor advisories for patches or updates addressing this vulnerability.