CVE-2025-13135 is a stored Cross-Site Scripting (XSS) vulnerability identified in the HotelRunner Booking Widget plugin for WordPress, which is widely used to facilitate hotel booking functionalities on websites. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the plugin's 'hotelrunner' shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious script is stored persistently and executed in the context of any user who accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 5.2.4. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (authenticated contributor or above), no user interaction, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive user data or financial transactions. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps. The vulnerability's exploitation could lead to partial confidentiality and integrity loss but does not impact availability. The stored nature of the XSS increases the risk as the malicious payload persists and can affect multiple users over time.

For European organizations, especially those in the hospitality and tourism sectors relying on WordPress websites with the HotelRunner Booking Widget, this vulnerability could lead to unauthorized access to user sessions, theft of sensitive customer data, and potential defacement or manipulation of booking information. The persistent XSS could facilitate phishing attacks, credential theft, or unauthorized actions performed under the guise of legitimate users, damaging brand reputation and customer trust. Given the importance of online booking platforms in Europe’s travel industry, exploitation could disrupt business operations and lead to regulatory penalties under GDPR if personal data is compromised. The medium severity score indicates a moderate but tangible risk, particularly in environments where contributor-level access is granted to multiple users, increasing the attack surface. The vulnerability could also be leveraged as a foothold for further attacks within an organization's network or to spread malware to site visitors.

European organizations should immediately audit their WordPress installations to identify the presence of the HotelRunner Booking Widget plugin and verify the version in use. Until an official patch is released, restrict contributor-level and higher permissions to trusted users only and review user roles to minimize the number of accounts with such privileges. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'hotelrunner' shortcode. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Where feasible, apply manual input validation and output escaping in the plugin code or disable the shortcode functionality temporarily. Monitor website logs for unusual activity indicative of exploitation attempts. Educate site administrators and content contributors about the risks of injecting untrusted content. Once a patch is available, prioritize immediate update and test the plugin in a staging environment before deployment. Additionally, conduct regular security assessments and penetration testing focused on plugin vulnerabilities.