CVE-2025-52787 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting EZiHosting's Tennis Court Bookings software, versions up to 1.2.7. This vulnerability arises from improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode input before reflecting it back in HTTP responses, allowing an attacker to inject malicious scripts. When a victim interacts with a crafted URL or input that triggers this reflected XSS, the malicious script executes in the victim's browser context. The CVSS 3.1 base score is 7.1, indicating a high impact with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, meaning the attack can be launched remotely over the network without privileges, requires user interaction, and affects confidentiality, integrity, and availability with a scope change. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a significant risk for phishing, session hijacking, or delivering further malware payloads. The lack of available patches at the time of publication increases the urgency for mitigation. The vulnerability specifically targets the Tennis Court Bookings product, which is a web-based booking system likely used by sports facilities to manage tennis court reservations.

For European organizations, particularly sports clubs, recreational centers, or municipalities using EZiHosting Tennis Court Bookings, this vulnerability poses a risk of client-side attacks that can compromise user sessions, steal sensitive booking or personal data, and potentially disrupt service availability. The reflected XSS could be exploited to conduct targeted phishing campaigns against users, leading to credential theft or unauthorized access to booking systems. Additionally, the scope change in the CVSS vector suggests that the vulnerability could be leveraged to affect other components or users beyond the initially targeted session, amplifying the impact. Given the increasing digitization of sports and recreational services in Europe, exploitation could undermine trust in these platforms and cause reputational damage. Furthermore, compromised systems might be used as a foothold for broader network attacks if attackers pivot from the web application to internal resources. The impact on confidentiality, integrity, and availability, although partial, is significant enough to warrant immediate attention.

Organizations should implement strict input validation and output encoding on all user-supplied data reflected in web pages to prevent script injection. Until an official patch is released by EZiHosting, administrators should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the Tennis Court Bookings application. Additionally, enabling Content Security Policy (CSP) headers can help mitigate the impact by restricting the execution of unauthorized scripts. User education is also critical; informing users about the risks of clicking suspicious links can reduce successful exploitation. Regularly monitoring web server logs for unusual request patterns indicative of XSS attempts is advised. If feasible, temporarily disabling or restricting access to vulnerable components or implementing multi-factor authentication for booking system access can reduce risk. Finally, organizations should maintain close communication with EZiHosting for timely patch releases and apply updates promptly once available.