CVE-2025-23604 identifies a stored Cross-site Scripting (XSS) vulnerability in the Maeve Lander Rezdy Reloaded software, specifically affecting versions up to 1.0.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored on the server and subsequently executed in the browsers of users who access the affected pages. Stored XSS is particularly dangerous because the malicious payload persists on the server and can impact multiple users without requiring repeated attacker interaction. This vulnerability can be exploited by attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. The vulnerability does not require authentication or complex user interaction beyond visiting a compromised page, increasing its risk profile. No CVSS score has been assigned yet, and no public exploits have been reported. The affected product, Rezdy Reloaded, is used primarily in booking and reservation management, making it a valuable target for attackers aiming to disrupt business operations or steal sensitive customer data. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The impact of CVE-2025-23604 on organizations worldwide can be significant, especially for those relying on Rezdy Reloaded for booking and reservation management. Successful exploitation can lead to unauthorized access to user sessions, theft of sensitive customer information, and potential compromise of administrative accounts. This can result in reputational damage, financial loss, and regulatory penalties due to data breaches. Additionally, attackers could use the vulnerability to inject malicious scripts that redirect users to phishing sites or deliver malware, further amplifying the threat. The persistence of stored XSS means multiple users can be affected over time, increasing the scope of impact. Organizations in the travel, tourism, and event management sectors are particularly vulnerable, as these industries commonly use Rezdy Reloaded or similar platforms. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

To mitigate CVE-2025-23604, organizations should first monitor for and apply any official patches or updates released by Maeve Lander for Rezdy Reloaded as soon as they become available. In the absence of patches, implement strict input validation and output encoding on all user-supplied data to neutralize potentially malicious scripts before rendering them in web pages. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly audit and sanitize stored data to identify and remove malicious payloads. Additionally, ensure that web application firewalls (WAFs) are configured to detect and block XSS attack patterns targeting Rezdy Reloaded. Educate users and administrators about the risks of XSS and encourage the use of multi-factor authentication to reduce the impact of session hijacking. Finally, conduct periodic security assessments and penetration testing focused on input handling and web application security to proactively identify similar vulnerabilities.