CVE-2025-32923 is a reflected Cross-site Scripting (XSS) vulnerability identified in the GoodLayers Tourmaster WordPress plugin, affecting all versions prior to 5.4.1. The vulnerability stems from improper input neutralization during the generation of web pages, which allows attackers to inject malicious JavaScript code into URLs or input parameters that are reflected back in the HTTP response without adequate sanitization. When a victim clicks on a crafted link containing the malicious payload, the injected script executes in their browser under the context of the vulnerable website. This can lead to session hijacking, theft of cookies or credentials, defacement, or redirection to malicious sites. The vulnerability does not require the attacker to have authentication privileges, making it accessible to unauthenticated remote attackers. However, exploitation requires social engineering to convince users to interact with malicious links. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability affects the Tourmaster plugin, which is widely used by tourism-related businesses to manage bookings and tours on WordPress sites. The lack of a patch link suggests that a fix may be forthcoming or that users must upgrade to version 5.4.1 or later to remediate the issue. Given the nature of reflected XSS, the attack surface includes any user-facing input fields or URL parameters that are improperly sanitized.

The impact of CVE-2025-32923 is significant for organizations using the affected versions of the GoodLayers Tourmaster plugin. Successful exploitation can compromise the confidentiality and integrity of user data by enabling attackers to steal session cookies, impersonate users, or perform unauthorized actions on their behalf. This can lead to account takeover, unauthorized bookings or modifications, and loss of customer trust. Additionally, attackers can use the vulnerability to deliver malware or phishing content by redirecting users to malicious websites. For tourism businesses, this can result in reputational damage and financial loss. Since the vulnerability is reflected XSS, it requires user interaction, which may limit widespread automated exploitation but does not eliminate risk. The availability impact is generally low, as XSS typically does not cause denial of service. However, the overall security posture of affected websites is weakened, increasing the risk of further attacks.

To mitigate CVE-2025-32923, organizations should immediately upgrade the GoodLayers Tourmaster plugin to version 5.4.1 or later, where the vulnerability is patched. If upgrading is not immediately possible, implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns that may contain script tags or typical XSS payloads targeting the plugin's parameters. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. Additionally, review and harden input validation and output encoding practices within the plugin's configuration if customization is possible. Educate users and administrators about the risks of clicking untrusted links and encourage the use of security awareness training to reduce successful social engineering attempts. Regularly monitor web server logs and security alerts for signs of attempted exploitation. Finally, maintain a robust backup and incident response plan to quickly recover from any compromise.