CVE-2025-49904 is a reflected Cross-site Scripting (XSS) vulnerability found in the magepeopleteam Booking and Rental Manager plugin for WooCommerce, affecting all versions up to and including 2.5.3. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing attackers to inject malicious JavaScript code that is reflected back to users. When a victim clicks a specially crafted URL containing malicious payloads, the injected script executes in their browser context, potentially enabling theft of session cookies, redirection to malicious sites, or manipulation of displayed content. The vulnerability does not require any authentication (PR:N) but does require user interaction (UI:R), such as clicking a malicious link. The CVSS v3.1 base score is 6.1, indicating a medium severity level, with attack vector network (AV:N), low attack complexity (AC:L), and scope changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity are impacted, but availability remains unaffected. No known exploits have been reported in the wild yet, but the presence of this vulnerability in a widely used WooCommerce plugin raises concerns for e-commerce sites relying on this booking and rental management functionality. The lack of an official patch link suggests that users should monitor vendor advisories closely. The reflected XSS nature means that attacks typically require social engineering to lure users into clicking malicious URLs. This vulnerability is particularly relevant for websites handling customer bookings and rentals, where session hijacking or content manipulation could lead to fraud or reputational damage.

For European organizations using the magepeopleteam Booking and Rental Manager plugin, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data. Attackers could exploit the reflected XSS to steal session cookies, enabling account takeover or unauthorized access to user accounts. Manipulation of web page content could facilitate phishing attacks or fraud, damaging customer trust and brand reputation. Although availability is not directly impacted, successful exploitation could lead to indirect service disruptions through account compromises or regulatory scrutiny. E-commerce businesses and rental service providers in Europe relying on this plugin may face targeted attacks, especially as attackers often focus on regions with high online transaction volumes. The vulnerability's requirement for user interaction means that phishing campaigns or social engineering tactics could be used to increase exploitation success. Non-compliance with GDPR and other data protection regulations could result if customer data is compromised, leading to potential legal and financial consequences. Organizations must consider the risk of lateral movement if attackers gain access to administrative accounts via session hijacking. Overall, the threat could undermine customer confidence and operational integrity in affected European markets.

1. Monitor the magepeopleteam vendor channels and Patchstack advisories for an official security patch and apply it immediately upon release. 2. Until a patch is available, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block reflected XSS payloads targeting the Booking and Rental Manager plugin endpoints. 3. Enforce strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit sources of executable code, reducing the impact of injected scripts. 4. Sanitize and validate all user inputs on the server side, especially URL parameters and form inputs related to booking and rental functionalities, to prevent malicious data from being processed. 5. Educate staff and users about the risks of clicking suspicious links, particularly those related to booking or rental confirmations, to reduce the likelihood of successful social engineering. 6. Conduct regular security audits and penetration testing focusing on web application input handling and reflected XSS vectors. 7. Review and limit the exposure of sensitive session cookies by setting HttpOnly and Secure flags to reduce the risk of theft via XSS. 8. Consider implementing multi-factor authentication (MFA) for user accounts to mitigate the impact of session hijacking. 9. Monitor logs for unusual URL patterns or spikes in traffic to booking-related pages that could indicate exploitation attempts.