The BA Book Everything plugin for WordPress, widely used for booking and reservation functionalities, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-14449. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically within the babe-search-form shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, but requires at least contributor-level privileges, limiting exploitation to insiders or compromised accounts. The CVSS 3.1 base score of 6.4 reflects a medium severity, with partial confidentiality and integrity impacts but no availability impact. No public exploit code or widespread exploitation has been reported yet. The vulnerability affects all plugin versions up to and including 1.8.14. The lack of a patch at the time of publication necessitates immediate risk mitigation steps by administrators. Given the plugin’s role in booking systems, the vulnerability could be leveraged to target customers or employees of affected organizations, potentially leading to data theft or reputational damage.

For European organizations, especially those in the travel, hospitality, and booking sectors using WordPress with the BA Book Everything plugin, this vulnerability poses a significant risk. An attacker with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can result in loss of customer trust, regulatory penalties under GDPR due to compromised personal data, and operational disruptions. Since the attack requires authenticated access, insider threats or compromised contributor accounts are primary concerns. The vulnerability could also be exploited to pivot to further attacks within the organization’s network. The medium severity score indicates a moderate but non-negligible risk, particularly for organizations with many contributors or less stringent access controls. The impact is magnified in countries with high WordPress adoption and significant online booking activity, where customer-facing websites are critical business assets.

1. Immediately restrict contributor-level permissions to trusted users only and review existing user roles for unnecessary privileges. 2. Monitor and audit contributor activity for suspicious behavior or unauthorized content changes. 3. Implement a Web Application Firewall (WAF) with robust XSS filtering to detect and block malicious script injections. 4. Regularly back up website data to enable quick restoration if an attack occurs. 5. Once available, promptly apply official patches or updates to the BA Book Everything plugin to fix the vulnerability. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 7. Educate content contributors about the risks of injecting untrusted content and enforce input validation policies. 8. Conduct periodic security assessments and penetration testing focused on WordPress plugins and user privilege management. 9. Consider isolating booking-related plugins in sandboxed environments or separate subdomains to limit potential damage. 10. Monitor threat intelligence feeds for any emerging exploit code or attack campaigns targeting this vulnerability.