The BA Book Everything plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-14449. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the plugin's babe-search-form shortcode. The root cause is insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising session tokens, redirecting users, or performing actions on behalf of victims. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low but notable, while availability is unaffected. No public exploits have been reported yet, but the vulnerability is significant due to the ease of exploitation by authenticated users with relatively low privileges. The plugin is widely used in booking and travel-related WordPress sites, making it a valuable target for attackers aiming to compromise site visitors or administrators.

For European organizations, especially those in the travel, hospitality, and booking sectors relying on WordPress and the BA Book Everything plugin, this vulnerability poses a risk of client-side script injection leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. This can result in reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. The requirement for contributor-level access limits exposure somewhat but insider threats or compromised contributor accounts could facilitate exploitation. The scope change in the vulnerability means attackers can affect components beyond the plugin itself, potentially escalating the impact. Given the plugin’s role in booking workflows, attackers might manipulate booking data or redirect users to malicious sites, disrupting business operations. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after disclosure.

Organizations should immediately audit their WordPress installations to identify the presence of the BA Book Everything plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling the plugin if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the babe-search-form shortcode can provide interim protection. Site administrators should enforce strict input validation and output encoding on all user-supplied data within the plugin’s context, possibly by customizing the plugin code or using security plugins that sanitize shortcode inputs. Regularly monitoring logs for unusual contributor activity and scanning for injected scripts on pages using the shortcode is recommended. Once a patch is available, prompt updating is critical. Additionally, educating contributors about secure content practices and monitoring for phishing or social engineering attempts can reduce the risk of account compromise.