CVE-2025-24723 identifies a stored Cross-site Scripting (XSS) vulnerability in the codepeople Booking Calendar Contact Form plugin, specifically versions up to and including 1.2.55. Stored XSS occurs when malicious input is improperly sanitized and then permanently stored on the target server, such as in a database or message field, and later rendered in a web page without proper encoding. In this case, the vulnerability exists in the contact form component of the Booking Calendar plugin, which is used to manage booking requests on websites. Attackers can inject malicious JavaScript payloads into the form inputs that are saved and subsequently executed in the browsers of users who view the affected pages. This can lead to theft of session cookies, user impersonation, defacement, or distribution of malware. The vulnerability does not require authentication, increasing its risk profile. Although no known exploits are currently in the wild, the widespread use of booking calendar plugins on WordPress and similar CMS platforms makes this a significant threat vector. The lack of a CVSS score indicates the vulnerability is newly published, but the technical details and nature of stored XSS suggest a high severity. The absence of official patches at the time of publication means users must rely on temporary mitigations or updates once available.

The impact of this stored XSS vulnerability can be severe for organizations running websites with the affected Booking Calendar Contact Form plugin. Successful exploitation can compromise the confidentiality of user data by stealing session tokens or credentials, leading to unauthorized account access. Integrity can be undermined through content manipulation or defacement, damaging brand reputation and user trust. Availability may be indirectly affected if attackers use the vulnerability to inject malware or conduct phishing attacks, potentially leading to site blacklisting or downtime. Because the vulnerability is stored, every visitor to the affected page is at risk, amplifying the scope of impact. Organizations in sectors such as hospitality, event management, and services that rely on online booking forms are particularly vulnerable. The lack of authentication requirements and ease of exploitation increase the likelihood of attacks, especially if the plugin is widely deployed without timely updates.

To mitigate CVE-2025-24723, organizations should immediately check if they use the codepeople Booking Calendar Contact Form plugin and determine the version in use. If the version is 1.2.55 or earlier, they should prioritize upgrading to a patched version once released by the vendor. Until an official patch is available, administrators can implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the contact form inputs. Input validation and output encoding should be enforced at the application level to neutralize malicious scripts. Disabling or restricting the contact form temporarily can reduce exposure. Regularly monitoring web logs for suspicious input patterns and unusual user activity can help detect exploitation attempts early. Additionally, educating users about the risks of clicking suspicious links or submitting untrusted content can reduce the impact of potential attacks. Finally, organizations should maintain an incident response plan to quickly address any compromise resulting from this vulnerability.