CVE-2025-48231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codepeople Booking Calendar Contact Form
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.58.
AI Analysis
Technical Summary
CVE-2025-48231 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the codepeople Booking Calendar Contact Form plugin up to version 1.2.58. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the application. When a victim accesses the affected page, the malicious script executes in their browser context. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires privileges (likely authenticated user access), and user interaction (victim must visit a crafted page). The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as the attacker can execute arbitrary scripts that may steal session tokens, manipulate page content, or perform actions on behalf of the user. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability is relevant for any organization using the affected Booking Calendar Contact Form plugin, especially those relying on it for customer interactions or bookings on their websites.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to web applications using the codepeople Booking Calendar Contact Form plugin. Exploitation could lead to session hijacking, unauthorized actions performed with user privileges, defacement, or phishing attacks targeting users of affected websites. This can result in data breaches involving personal data, reputational damage, and potential non-compliance with GDPR due to inadequate protection of user input and data integrity. Given the plugin’s role in booking and contact forms, attackers might manipulate booking data or harvest sensitive user information. The medium severity score suggests a moderate but tangible risk, especially for organizations with high web traffic or sensitive customer interactions. The requirement for authenticated access to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, particularly if user accounts have weak access controls or if attackers can compromise user credentials. The cross-site scripting nature also means that the impact could cascade if exploited in combination with other vulnerabilities or social engineering tactics.
Mitigation Recommendations
Organizations should immediately audit their use of the codepeople Booking Calendar Contact Form plugin and identify affected versions (up to 1.2.58). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data fields within the booking calendar and contact forms to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and tighten user privilege assignments to minimize the number of users with permissions to submit or modify form data. Monitor web logs for unusual input patterns or repeated attempts to inject scripts. Educate users about phishing and suspicious links to reduce successful exploitation via social engineering. Once a patch becomes available, prioritize its deployment. Additionally, consider implementing Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland
CVE-2025-48231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codepeople Booking Calendar Contact Form
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.58.
AI-Powered Analysis
Technical Analysis
CVE-2025-48231 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the codepeople Booking Calendar Contact Form plugin up to version 1.2.58. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the application. When a victim accesses the affected page, the malicious script executes in their browser context. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires privileges (likely authenticated user access), and user interaction (victim must visit a crafted page). The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as the attacker can execute arbitrary scripts that may steal session tokens, manipulate page content, or perform actions on behalf of the user. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability is relevant for any organization using the affected Booking Calendar Contact Form plugin, especially those relying on it for customer interactions or bookings on their websites.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to web applications using the codepeople Booking Calendar Contact Form plugin. Exploitation could lead to session hijacking, unauthorized actions performed with user privileges, defacement, or phishing attacks targeting users of affected websites. This can result in data breaches involving personal data, reputational damage, and potential non-compliance with GDPR due to inadequate protection of user input and data integrity. Given the plugin’s role in booking and contact forms, attackers might manipulate booking data or harvest sensitive user information. The medium severity score suggests a moderate but tangible risk, especially for organizations with high web traffic or sensitive customer interactions. The requirement for authenticated access to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, particularly if user accounts have weak access controls or if attackers can compromise user credentials. The cross-site scripting nature also means that the impact could cascade if exploited in combination with other vulnerabilities or social engineering tactics.
Mitigation Recommendations
Organizations should immediately audit their use of the codepeople Booking Calendar Contact Form plugin and identify affected versions (up to 1.2.58). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data fields within the booking calendar and contact forms to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and tighten user privilege assignments to minimize the number of users with permissions to submit or modify form data. Monitor web logs for unusual input patterns or repeated attempts to inject scripts. Educate users about phishing and suspicious links to reduce successful exploitation via social engineering. Once a patch becomes available, prioritize its deployment. Additionally, consider implementing Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-19T14:12:49.258Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6867b9f06f40f0eb72a049ad
Added to database: 7/4/2025, 11:24:32 AM
Last enriched: 7/4/2025, 11:56:56 AM
Last updated: 7/21/2025, 11:39:49 PM
Views: 11
Related Threats
CVE-2025-8353: CWE-446: UI Discrepancy for Security Feature in Devolutions Server
UnknownCVE-2025-8312: CWE-833: Deadlock in Devolutions Server
UnknownCVE-2025-54656: CWE-117 Improper Output Neutralization for Logs in Apache Software Foundation Apache Struts Extras
MediumCVE-2025-50578: n/a
CriticalCVE-2025-8292: Use after free in Google Chrome
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.