CVE-2025-49904 is a reflected Cross-site Scripting (XSS) vulnerability identified in the magepeopleteam Booking and Rental Manager plugin for WooCommerce, affecting all versions up to and including 2.5.3. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious actors to inject and execute arbitrary JavaScript code in the context of users’ browsers. This type of vulnerability is classified as reflected XSS, meaning the malicious payload is embedded in a URL or input that is immediately reflected back in the HTTP response without proper sanitization or encoding. The attack vector is remote (network-based) and requires no privileges or authentication, but does require user interaction, such as clicking a maliciously crafted link. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The impact includes potential theft of session cookies, user credentials, or other sensitive information accessible via the browser, as well as possible manipulation of the web page content to deceive users. The scope is 'changed' because the vulnerability affects resources beyond the attacker’s control (the victim’s browser environment). There are no known exploits in the wild at the time of publication, but the presence of this vulnerability in an e-commerce booking and rental management plugin presents a significant risk to affected websites. The plugin is widely used in WooCommerce environments, which are popular in European e-commerce markets. The vulnerability highlights the need for proper input validation, output encoding, and implementation of security headers such as Content Security Policy (CSP) to mitigate XSS risks.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Booking and Rental Manager plugin, this vulnerability poses a risk to user data confidentiality and integrity. Attackers exploiting this reflected XSS could steal session cookies or authentication tokens, leading to account hijacking or unauthorized transactions. Manipulation of web page content could facilitate phishing attacks or spread malware to users. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for failing to protect user data could be significant. The medium severity score reflects that while exploitation requires user interaction, the lack of authentication barriers and the wide use of the plugin increase the risk profile. Organizations handling booking and rental services, including travel agencies, property rental platforms, and event management companies, may face targeted attacks aiming to disrupt business operations or compromise customer trust. The vulnerability also increases the attack surface for chained exploits in multi-vector attacks.

Organizations should immediately audit their WooCommerce environments to identify installations of the magepeopleteam Booking and Rental Manager plugin and verify the version in use. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data fields related to booking and rental management. Deploy a robust Content Security Policy (CSP) that restricts the execution of inline scripts and limits sources of executable code. Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting this plugin. Educate users and staff about the risks of clicking suspicious links, especially those related to booking or rental confirmations. Monitor web server logs and application telemetry for unusual request patterns indicative of attempted exploitation. Once a vendor patch is available, prioritize timely updates to the plugin. Additionally, consider implementing HTTP-only and secure flags on cookies to reduce the risk of session theft. Conduct regular security assessments and penetration testing focused on input handling and client-side security controls.