CVE-2025-64381 is a stored Cross-site Scripting (XSS) vulnerability identified in the wpdevelop Booking Calendar WordPress plugin, affecting all versions up to and including 10.14.7. The vulnerability stems from improper neutralization of input during the generation of web pages, allowing an attacker with low-level authenticated access to inject malicious JavaScript code that is stored persistently within the application. When other users access the affected pages, the malicious script executes in their browsers, potentially leading to the theft of sensitive information such as session cookies, or enabling further attacks like account hijacking or privilege escalation. The CVSS 3.1 vector indicates the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L) but no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. Although no public exploits have been reported yet, the presence of stored XSS in a widely used booking plugin poses a significant risk, especially for websites handling sensitive customer data. The vulnerability was reserved on October 31, 2025, and published on November 13, 2025, but no patch links are currently available, indicating that remediation may still be pending. Organizations using this plugin should be vigilant and prepare to apply updates promptly once released.

For European organizations, especially those in the hospitality, tourism, and service sectors relying on WordPress websites with the wpdevelop Booking Calendar plugin, this vulnerability could lead to unauthorized disclosure of sensitive customer data such as booking details, personal information, and session tokens. The stored XSS could be exploited to hijack user sessions, deface websites, or conduct phishing attacks under the guise of a trusted site, damaging brand reputation and customer trust. Confidentiality breaches could also have regulatory implications under GDPR, potentially resulting in fines and legal consequences. Since the vulnerability requires low-level authentication, insider threats or compromised low-privilege accounts could be leveraged by attackers. The lack of impact on integrity and availability reduces the risk of data tampering or denial of service, but the confidentiality impact alone is significant. The absence of known exploits in the wild currently lowers immediate risk but does not eliminate the threat, especially once exploit code becomes available.

European organizations should implement the following specific mitigations: 1) Monitor wpdevelop Booking Calendar plugin updates closely and apply patches immediately upon release to remediate the vulnerability. 2) Until a patch is available, restrict plugin access to trusted users only and review user roles to minimize the number of accounts with booking calendar access. 3) Employ Web Application Firewalls (WAFs) with rules designed to detect and block common XSS payloads targeting the booking calendar endpoints. 4) Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 5) Conduct regular security audits and penetration testing focusing on input validation and output encoding in booking-related web pages. 6) Educate administrators and users about the risks of stored XSS and encourage vigilance for suspicious activity. 7) Consider temporary disabling or replacing the plugin with alternative booking solutions if patching is delayed. 8) Ensure logging and monitoring systems are configured to detect anomalous behavior indicative of exploitation attempts.