CVE-2025-6815 is a stored cross-site scripting vulnerability identified in the LatePoint Calendar Booking Plugin for WordPress, a widely used plugin for managing appointments and events. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically through the 'service[name]' parameter. In all versions up to and including 5.1.94, the plugin fails to adequately sanitize and escape this input, allowing authenticated users with administrator privileges to inject arbitrary JavaScript code into pages. Once injected, these scripts execute whenever any user visits the affected page, potentially enabling session hijacking, unauthorized actions, or the theft of sensitive data. This vulnerability is constrained to multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled, as these configurations affect how HTML content is processed and filtered. The attack vector requires network access and administrator-level privileges but does not require user interaction, increasing the risk within compromised administrative environments. The CVSS v3.1 base score is 5.5, indicating a medium severity level due to limited confidentiality and integrity impacts and no impact on availability. No public exploits are currently known, and no official patches have been published, highlighting the need for proactive mitigation. The vulnerability was reserved in June 2025 and published in September 2025 by Wordfence.

The primary impact of CVE-2025-6815 is the potential compromise of user sessions and administrative control within affected WordPress multi-site environments using the LatePoint plugin. Attackers with administrator access can inject malicious scripts that execute in the context of other users, potentially leading to credential theft, privilege escalation, or unauthorized actions on the site. Although exploitation requires high privileges, the vulnerability can facilitate lateral movement or persistence within an organization’s web infrastructure. The confidentiality and integrity of data managed through the plugin could be compromised, especially sensitive booking or user information. The vulnerability does not affect availability directly but could be leveraged as part of a broader attack chain. Organizations relying on LatePoint for appointment management in multi-site WordPress setups are at risk, particularly those with multiple administrators or contributors. The lack of public exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks. The medium CVSS score reflects moderate risk, but the potential for significant damage in high-value environments exists.

To mitigate CVE-2025-6815, organizations should first verify if their WordPress environment uses the LatePoint plugin in a multi-site configuration or has 'unfiltered_html' disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing 'service[name]' inputs for suspicious content. Implementing Web Application Firewall (WAF) rules to detect and block malicious script payloads targeting the vulnerable parameter can reduce exploitation risk. Administrators should monitor logs for unusual activity related to the plugin and review user-generated content for injected scripts. Until an official patch is released, consider disabling or uninstalling the LatePoint plugin in multi-site environments if feasible. Additionally, applying the principle of least privilege to WordPress roles can limit the number of users capable of exploiting this vulnerability. Regular backups and incident response plans should be updated to address potential XSS incidents. Finally, stay alert for vendor updates or patches and apply them promptly once available.