CVE-2025-64381 is a stored Cross-site Scripting (XSS) vulnerability found in the wpdevelop Booking Calendar WordPress plugin, affecting all versions up to and including 10.14.7. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators view the affected pages, the malicious script executes in their browsers. The vulnerability requires the attacker to have at least low privileges (PR:L) and user interaction (UI:R), such as convincing a user to visit a crafted page or interact with malicious content. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) indicates network attack vector, low attack complexity, partial scope change, and impacts on confidentiality, integrity, and availability, though only at a low level. Stored XSS can be leveraged to hijack user sessions, steal credentials, deface websites, or pivot to further attacks within the WordPress environment. Although no known exploits are currently in the wild, the vulnerability is publicly disclosed and should be considered a significant risk for websites using this plugin. The Booking Calendar plugin is widely used for managing reservations and appointments, especially in sectors like hospitality, healthcare, and services, making this vulnerability relevant for organizations relying on online booking functionality. The lack of an official patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the wpdevelop Booking Calendar plugin. Successful exploitation can lead to unauthorized script execution in the context of the affected site, potentially compromising user sessions, leaking sensitive data, or enabling further attacks such as privilege escalation or malware deployment. Organizations in sectors with heavy reliance on online booking—such as tourism, hospitality, healthcare, and professional services—may face reputational damage, data breaches, or service disruptions. The partial scope change in the CVSS vector indicates that the vulnerability could affect components beyond the immediate plugin, possibly impacting other parts of the WordPress installation. Given the medium severity and requirement for user interaction, the threat is less severe than remote code execution vulnerabilities but still significant, especially for high-traffic or sensitive sites. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available. Compliance with data protection regulations like GDPR may also be impacted if personal data is compromised through exploitation.

1. Monitor the wpdevelop Booking Calendar plugin vendor channels and trusted vulnerability databases for the release of an official patch addressing CVE-2025-64381, and apply it promptly upon availability. 2. Until a patch is available, restrict plugin usage to trusted users only and limit the ability to submit or edit booking data to minimize exposure to malicious input. 3. Implement Web Application Firewall (WAF) rules that detect and block common XSS payloads targeting the Booking Calendar plugin endpoints. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the affected sites. 5. Conduct regular security audits and input validation reviews on all user-supplied data fields related to booking entries, ensuring proper sanitization and encoding. 6. Educate site administrators and users about the risks of interacting with suspicious links or content that could trigger stored XSS attacks. 7. Consider isolating or sandboxing the booking functionality to limit the impact scope if exploitation occurs. 8. Maintain up-to-date backups of the website and database to enable rapid recovery in case of compromise.