CVE-2025-13135 is a stored cross-site scripting vulnerability identified in the HotelRunner Booking Widget plugin for WordPress, affecting all versions up to and including 5.2.4. The vulnerability arises from insufficient sanitization and escaping of user-supplied input in the 'hotelrunner' shortcode attributes. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize the vulnerable shortcode. When other users, including administrators or site visitors, access these pages, the injected scripts execute in their browsers. This can lead to a range of malicious outcomes such as session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and scope change. The vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, but the presence of authenticated access requirements limits exploitation to insiders or compromised accounts. The plugin is widely used in the hospitality sector to facilitate hotel bookings on WordPress sites, making it a targeted vector for attackers aiming to compromise booking platforms or steal user data. The vulnerability was published on November 21, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation steps by affected organizations.

For European organizations, especially those in the hospitality and tourism sectors relying on WordPress sites with the HotelRunner Booking Widget, this vulnerability poses a significant risk. Exploitation could allow attackers with contributor-level access to inject malicious scripts that execute in the context of site visitors or administrators, potentially leading to credential theft, session hijacking, or unauthorized actions on the site. This could result in data breaches involving customer personal and payment information, reputational damage, and regulatory penalties under GDPR due to compromised user data. The scope of impact is heightened for organizations with high web traffic and multiple user roles. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts are the primary vectors. However, once exploited, the attacker can affect all users accessing the infected pages, amplifying the damage. The lack of a patch increases exposure time, and the medium severity rating suggests a moderate but actionable risk. Disruption to booking services could also indirectly impact business operations and customer trust.

European organizations should immediately audit their WordPress installations to identify the presence of the HotelRunner Booking Widget plugin and confirm the version in use. Until an official patch is released, organizations should restrict contributor-level access to trusted users only and monitor for suspicious activity from these accounts. Implementing Web Application Firewalls (WAF) with custom rules to detect and block malicious script injections targeting the 'hotelrunner' shortcode parameters can provide interim protection. Site administrators should also enforce strict input validation and output encoding on shortcode attributes if custom development is feasible. Regularly scanning websites for XSS payloads and anomalous content injections is recommended. Additionally, organizations should educate content contributors about the risks of injecting untrusted content and enforce strong authentication mechanisms to reduce the risk of account compromise. Once a patch is available, prompt updating of the plugin is critical. Backup procedures should be reviewed to enable quick restoration if exploitation occurs.