CVE-2025-63013 is a vulnerability identified in the ThimPress WP Hotel Booking plugin for WordPress, affecting versions up to and including 2.2.7. The issue allows an unauthorized attacker to retrieve embedded sensitive system information without requiring any privileges, though user interaction is necessary, typically by tricking a user into visiting a maliciously crafted URL. The vulnerability is classified as an exposure of sensitive information to an unauthorized control sphere, meaning that data intended to be protected within the system can be accessed by unauthorized parties. The exposed data could include configuration details, system paths, or other embedded sensitive content that may assist attackers in reconnaissance or subsequent attacks. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based with low complexity and no privileges required, but user interaction is necessary, and the impact is limited to confidentiality with no effect on integrity or availability. No known exploits have been reported in the wild, and no patches are currently linked, indicating that mitigation may rely on vendor updates or temporary workarounds. The vulnerability was reserved in late October 2025 and published in early December 2025, suggesting it is a recent discovery.

For European organizations, especially those in the hospitality and tourism sectors using the WP Hotel Booking plugin, this vulnerability poses a risk of sensitive information leakage. Exposure of system information can facilitate more sophisticated attacks such as targeted phishing, privilege escalation, or exploitation of other vulnerabilities by providing attackers with detailed knowledge of the system environment. While the vulnerability does not directly compromise system integrity or availability, the confidentiality breach can undermine trust and compliance with data protection regulations such as GDPR. Organizations relying on this plugin for booking management may face operational risks if attackers leverage the exposed information to compromise backend systems or customer data. The impact is more pronounced for entities with high web traffic and customer interaction, where user interaction to trigger the vulnerability is more feasible.

Organizations should monitor for updates from ThimPress and apply patches promptly once available. Until a patch is released, administrators should consider restricting access to the WP Hotel Booking plugin’s sensitive endpoints via web application firewalls (WAFs) or IP whitelisting to limit exposure. Implementing strict input validation and URL filtering can reduce the risk of malicious URL exploitation. Regularly auditing plugin configurations and logs for unusual access patterns can help detect attempted exploitation. Additionally, organizations should educate users about the risks of clicking unknown links to mitigate the user interaction requirement. If feasible, temporarily disabling the plugin or replacing it with alternative booking solutions may be warranted in high-risk environments. Maintaining a comprehensive backup and incident response plan ensures readiness in case of compromise.