The WP Booking Calendar plugin for WordPress, widely used for managing booking functionalities on websites, contains a stored cross-site scripting vulnerability identified as CVE-2025-4669. This vulnerability stems from CWE-79, improper neutralization of input during web page generation, specifically in the handling of the wpbc shortcode. The plugin fails to adequately sanitize and escape user-supplied attributes before rendering them on pages. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages via the shortcode parameters. When other users access these pages, the malicious scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deface content. The vulnerability affects all versions up to and including 10.11.1. Exploitation does not require user interaction beyond page access but does require authentication with contributor or higher privileges, limiting exposure to internal or semi-trusted users. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflecting network attack vector, low attack complexity, privileges required, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No patches or exploits are currently publicly available, but the vulnerability poses a risk to websites relying on this plugin, especially those with multiple contributors or untrusted users. Mitigation requires updating the plugin once a fix is released or applying strict input validation and output encoding on shortcode attributes.

This vulnerability can lead to unauthorized script execution in the context of affected websites, compromising user confidentiality and integrity. Attackers can hijack user sessions, steal sensitive information, or perform unauthorized actions on behalf of users, potentially leading to account compromise or data leakage. Since exploitation requires contributor-level access, the threat is primarily from insiders or compromised accounts with elevated privileges. The vulnerability does not affect system availability but can damage organizational reputation and user trust if exploited. Websites with multiple contributors or public-facing content management are at higher risk. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the vulnerable component, increasing potential impact. Although no known exploits exist currently, the medium severity score and ease of exploitation with low complexity suggest organizations should act promptly to mitigate risk.

1. Monitor for and apply official patches or updates from the wpdevelop vendor as soon as they become available to address this vulnerability. 2. Until a patch is released, restrict contributor-level access to trusted users only and review user roles to minimize unnecessary privileges. 3. Implement strict input validation and output encoding on all shortcode attributes, especially those accepting user input, to prevent script injection. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode payloads or script injection attempts. 5. Conduct regular security audits and code reviews of WordPress plugins and themes to identify similar vulnerabilities proactively. 6. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 7. Monitor website logs and user activity for unusual behavior indicative of exploitation attempts. 8. Consider disabling or replacing the WP Booking Calendar plugin with alternatives if immediate patching is not feasible.