CVE-2025-63011 is a DOM-based Cross-site Scripting (XSS) vulnerability found in the WP Hotel Booking plugin developed by ThimPress for WordPress, affecting versions up to and including 2.2.7. The vulnerability stems from improper neutralization of user input during the generation of web pages, allowing malicious scripts to be injected and executed in the context of a victim's browser. Specifically, this is a client-side DOM XSS, meaning the attack payload is executed when the victim interacts with a crafted link or input that manipulates the Document Object Model (DOM) without proper sanitization. Exploitation requires an attacker to have high privileges (PR:H) on the WordPress site and user interaction (UI:R), such as clicking a malicious link or visiting a crafted page. The vulnerability affects confidentiality, integrity, and availability to a limited extent, as attackers could steal session tokens, perform actions on behalf of users, or disrupt service. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the vulnerability affects components beyond the initially vulnerable module. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. The plugin is commonly used by hospitality and tourism websites to manage hotel bookings, making it a valuable target for attackers seeking to compromise customer data or disrupt business operations.

For European organizations, especially those in the hospitality and tourism sectors using the WP Hotel Booking plugin, this vulnerability poses a risk of session hijacking, unauthorized actions, and potential data leakage. Although exploitation requires high privileges and user interaction, the impact on confidentiality and integrity can lead to customer trust erosion and regulatory compliance issues under GDPR. Availability impacts, while limited, could disrupt booking services, affecting revenue and reputation. Given the importance of tourism in countries like Spain, Italy, France, and Germany, successful exploitation could have broader economic consequences. Additionally, attackers might leverage this vulnerability as a foothold for further attacks within the network. The medium severity rating reflects these moderate but tangible risks.

Organizations should monitor ThimPress announcements and apply security patches for WP Hotel Booking as soon as they become available. Until patches are released, restrict plugin access to trusted administrators only and limit the number of users with high privileges. Implement strict Content Security Policies (CSP) to reduce the risk of script injection and execution. Conduct regular security audits and input validation reviews on web applications using this plugin. Educate users with elevated privileges about phishing and social engineering risks to minimize user interaction exploitation. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads and monitor logs for suspicious activity related to the plugin. Backup website data regularly to enable quick recovery in case of compromise.