CVE-2025-62743 identifies a stored Cross-site Scripting (XSS) vulnerability in the zookatron MyBookTable Bookstore plugin, a WordPress extension used to manage online bookstore catalogs. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker with low privileges (PR:L) to inject malicious scripts that are stored and later executed in the context of other users' browsers, requiring user interaction (UI:R) to trigger. The vulnerability affects all versions up to 3.5.5, with no patches currently available. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), partial confidentiality, integrity, and availability impacts (C:L/I:L/A:L), and scope change (S:C). Stored XSS can enable session hijacking, credential theft, or unauthorized actions on behalf of users, potentially compromising sensitive bookstore data and user accounts. Although no known exploits are reported in the wild, the vulnerability's presence in a widely used plugin for e-commerce sites poses a tangible risk. The lack of patches necessitates proactive mitigation and monitoring by affected organizations.

For European organizations operating online bookstores or e-commerce sites using the MyBookTable Bookstore plugin, this vulnerability could lead to unauthorized script execution in users' browsers, resulting in theft of session tokens, personal data, or manipulation of bookstore content. This compromises confidentiality, integrity, and availability of the affected systems and user data. The stored nature of the XSS means multiple users can be impacted once malicious payloads are injected. Attackers could leverage this to conduct phishing, spread malware, or escalate privileges within the site. Given the plugin’s role in managing customer interactions and transactions, exploitation could damage reputation, cause financial loss, and violate data protection regulations such as GDPR. The medium severity score indicates a significant but not critical threat, especially since exploitation requires some user interaction and low privilege access. However, the scope change and partial impacts across CIA triad highlight the need for urgent attention.

1. Implement strict input validation and output encoding on all user-supplied data fields within the MyBookTable plugin to neutralize malicious scripts. 2. Restrict user privileges to the minimum necessary, especially for users who can submit content that appears on public pages. 3. Monitor web application logs and user activity for signs of suspicious input or unusual behavior indicative of XSS attempts. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Regularly back up website data and configurations to enable quick restoration if compromise occurs. 6. Stay informed about vendor updates and apply patches promptly once released. 7. Consider deploying Web Application Firewalls (WAF) with rules tuned to detect and block XSS payloads targeting the affected plugin. 8. Educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content. These measures go beyond generic advice by focusing on plugin-specific input handling, privilege management, and proactive monitoring tailored to the MyBookTable environment.