CVE-2025-64275 identifies a stored Cross-site Scripting (XSS) vulnerability in the wpdevelop Booking Manager plugin, specifically in versions up to and including 2.1.17. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker with low privileges (PR:L) to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators access the affected pages, the malicious script executes in their browsers, potentially leading to the theft of sensitive information such as authentication tokens, cookies, or other confidential data. The attack vector is network-based (AV:N), meaning exploitation can be performed remotely without physical access. The attack complexity is low (AC:L), and no user interaction is required (UI:N), increasing the risk of automated exploitation. The vulnerability does not impact integrity or availability directly but compromises confidentiality (C:H). Although no known exploits are currently in the wild, the presence of stored XSS in a widely used booking management plugin poses a significant risk, especially in environments where sensitive booking or personal data is handled. The vulnerability was published on November 13, 2025, and is tracked under CVE-2025-64275 with a CVSS v3.1 base score of 6.5, categorized as medium severity. The plugin is commonly used in WordPress environments, which are prevalent across many European organizations for managing bookings and reservations.

For European organizations, the exploitation of this stored XSS vulnerability could lead to unauthorized disclosure of sensitive booking information, user credentials, and session tokens, potentially resulting in account takeover or data leakage. This is particularly critical for sectors relying on booking systems, such as hospitality, healthcare, and event management. The confidentiality breach could undermine customer trust and lead to regulatory non-compliance under GDPR, resulting in financial penalties. Since the vulnerability requires only low privileges and no user interaction, attackers could automate attacks to compromise multiple accounts or escalate privileges within the affected systems. Additionally, compromised accounts could be leveraged for further lateral movement or phishing campaigns targeting European users. The absence of known exploits currently provides a window for proactive mitigation, but the medium severity score indicates a tangible risk that should not be underestimated.

European organizations should immediately inventory their WordPress installations to identify the presence of the wpdevelop Booking Manager plugin and verify the version in use. Until an official patch is released, organizations should consider disabling or restricting access to the plugin to minimize exposure. Implementing a Web Application Firewall (WAF) with robust XSS detection and blocking capabilities can help prevent exploitation attempts. Input validation and output encoding should be enforced on all user-supplied data within the booking manager environment to neutralize malicious scripts. Regular security audits and penetration testing focusing on web application vulnerabilities are recommended to detect similar issues. Monitoring logs for unusual activities related to the booking manager plugin can provide early detection of exploitation attempts. Finally, organizations should prepare to apply vendor patches promptly once available and educate administrators about the risks of stored XSS attacks.