CVE-2025-4669 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Booking Calendar plugin for WordPress, developed by wpdevelop. This vulnerability exists in all versions up to and including 10.11.1. The root cause is insufficient sanitization and escaping of user-supplied attributes in the plugin's wpbc shortcode, which is used to embed booking calendar functionality within WordPress pages. Authenticated users with contributor-level access or higher can exploit this vulnerability by injecting arbitrary JavaScript code into pages via the shortcode attributes. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, requiring privileges (contributor or above), no user interaction needed, and scope change. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS vulnerabilities. The stored nature of the XSS increases its risk compared to reflected XSS, as the malicious payload persists and affects multiple users. The vulnerability affects the confidentiality and integrity of user sessions and data but does not impact availability directly.

For European organizations using WordPress websites with the WP Booking Calendar plugin, this vulnerability poses a significant risk to web application security. Attackers with contributor-level access—often internal users or compromised accounts—can inject malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to sensitive areas of the website or backend. It can also facilitate defacement, phishing, or distribution of malware through the compromised site. Given the widespread use of WordPress in Europe for business, governmental, and e-commerce websites, exploitation could damage brand reputation, lead to data breaches involving personal data protected under GDPR, and cause regulatory penalties. The vulnerability’s exploitation does not require user interaction beyond visiting the infected page, increasing the likelihood of impact. However, the requirement for contributor-level privileges limits the attack surface to some extent, as anonymous users cannot exploit it directly. Still, compromised or malicious insiders represent a credible threat vector. The lack of known exploits in the wild suggests limited immediate risk but also highlights the need for proactive mitigation before attackers develop weaponized payloads.

European organizations should take immediate steps to mitigate this vulnerability beyond generic advice. First, they should identify all WordPress instances using the WP Booking Calendar plugin and determine the installed versions. Until an official patch is released, organizations should consider disabling or removing the plugin if contributor-level user access cannot be tightly controlled. Implement strict access controls and audit contributor and higher privilege accounts to detect suspicious activity. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to inject malicious scripts via the wpbc shortcode parameters. Additionally, review and harden input validation and output encoding practices on affected pages, possibly by customizing the plugin or using security plugins that sanitize shortcode inputs. Educate content contributors about the risks of injecting untrusted content and monitor logs for unusual shortcode usage patterns. Once a patch is available, prioritize prompt testing and deployment. Finally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts, mitigating the impact of any successful injection.