CVE-2025-24560 identifies a reflected Cross-site Scripting (XSS) vulnerability in the AwesomeTOGI Awesome Event Booking plugin, specifically in versions up to and including 2.7.1. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not adequately sanitized or encoded before being included in the HTML output. This allows an attacker to craft malicious URLs containing executable JavaScript code that, when visited by a victim, executes within their browser context. Reflected XSS vulnerabilities typically require social engineering to lure users into clicking malicious links. The Awesome Event Booking plugin is widely used on WordPress sites to manage event registrations and bookings, making it a valuable target for attackers seeking to compromise site visitors or administrators. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and thus could be targeted by attackers. The lack of a CVSS score indicates that the vulnerability is newly published and pending detailed scoring, but the nature of reflected XSS and its impact on user session security and data confidentiality is well understood. The vulnerability affects all versions up to 2.7.1, and no patches or updates are explicitly linked in the provided data, suggesting users should monitor vendor advisories closely. The vulnerability does not require authentication, increasing its risk profile, and can be exploited remotely via crafted URLs.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate users, including administrators, potentially leading to full site compromise. Attackers can also perform actions on behalf of users, inject malicious content, or redirect victims to phishing sites. This can damage organizational reputation, lead to data breaches, and cause operational disruptions. Since the vulnerability is reflected XSS, it requires user interaction, but the ease of crafting malicious links and the widespread use of the affected plugin increase the attack surface significantly. Organizations using the Awesome Event Booking plugin on public-facing websites are at risk, especially those handling sensitive user information or financial transactions related to event bookings. The absence of known exploits in the wild currently limits immediate impact, but the public disclosure increases the likelihood of future attacks. The vulnerability could also be leveraged as part of multi-stage attacks targeting broader network access or data exfiltration.

Organizations should immediately verify if they are using the AwesomeTOGI Awesome Event Booking plugin and identify the version in use. If possible, upgrade to a version later than 2.7.1 once a patch is released by the vendor. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block typical XSS attack patterns targeting the plugin’s endpoints. Employ input validation and output encoding on all user-supplied data within the application, especially in URL parameters and form inputs related to event booking pages. Educate users and administrators about the risks of clicking suspicious links and encourage the use of browser security features such as script blockers or content security policies (CSP) to limit script execution. Conduct regular security assessments and penetration testing focused on web application vulnerabilities. Monitor security advisories from AwesomeTOGI and WordPress plugin repositories for updates or patches. Additionally, review server and application logs for unusual activity that may indicate attempted exploitation.