Skip to main content

CVE-2025-48231: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codepeople Booking Calendar Contact Form

Medium
VulnerabilityCVE-2025-48231cvecve-2025-48231cwe-79
Published: Fri Jul 04 2025 (07/04/2025, 11:18:02 UTC)
Source: CVE Database V5
Vendor/Project: codepeople
Product: Booking Calendar Contact Form

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.58.

AI-Powered Analysis

AILast updated: 07/04/2025, 11:56:56 UTC

Technical Analysis

CVE-2025-48231 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the codepeople Booking Calendar Contact Form plugin up to version 1.2.58. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the application. When a victim accesses the affected page, the malicious script executes in their browser context. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires privileges (likely authenticated user access), and user interaction (victim must visit a crafted page). The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as the attacker can execute arbitrary scripts that may steal session tokens, manipulate page content, or perform actions on behalf of the user. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability is relevant for any organization using the affected Booking Calendar Contact Form plugin, especially those relying on it for customer interactions or bookings on their websites.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to web applications using the codepeople Booking Calendar Contact Form plugin. Exploitation could lead to session hijacking, unauthorized actions performed with user privileges, defacement, or phishing attacks targeting users of affected websites. This can result in data breaches involving personal data, reputational damage, and potential non-compliance with GDPR due to inadequate protection of user input and data integrity. Given the plugin’s role in booking and contact forms, attackers might manipulate booking data or harvest sensitive user information. The medium severity score suggests a moderate but tangible risk, especially for organizations with high web traffic or sensitive customer interactions. The requirement for authenticated access to exploit the vulnerability somewhat limits the attack surface but does not eliminate risk, particularly if user accounts have weak access controls or if attackers can compromise user credentials. The cross-site scripting nature also means that the impact could cascade if exploited in combination with other vulnerabilities or social engineering tactics.

Mitigation Recommendations

Organizations should immediately audit their use of the codepeople Booking Calendar Contact Form plugin and identify affected versions (up to 1.2.58). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data fields within the booking calendar and contact forms to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and tighten user privilege assignments to minimize the number of users with permissions to submit or modify form data. Monitor web logs for unusual input patterns or repeated attempts to inject scripts. Educate users about phishing and suspicious links to reduce successful exploitation via social engineering. Once a patch becomes available, prioritize its deployment. Additionally, consider implementing Web Application Firewalls (WAFs) with rules targeting common XSS payloads to provide an additional layer of defense.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-05-19T14:12:49.258Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6867b9f06f40f0eb72a049ad

Added to database: 7/4/2025, 11:24:32 AM

Last enriched: 7/4/2025, 11:56:56 AM

Last updated: 7/21/2025, 11:39:49 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats