CVE-2025-6815 is a stored Cross-Site Scripting (XSS) vulnerability identified in the LatePoint – Calendar Booking Plugin for Appointments and Events, a WordPress plugin widely used for managing bookings and events. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'service[name]' parameter. In all versions up to and including 5.1.94, the plugin fails to adequately sanitize and escape input, allowing an authenticated attacker with administrator-level privileges to inject arbitrary JavaScript code into pages. This malicious script is then executed whenever any user accesses the compromised page. Notably, this vulnerability only affects multi-site WordPress installations or those where the 'unfiltered_html' capability is disabled, which restricts users from posting unfiltered HTML content. The CVSS v3.1 base score is 5.5 (medium severity), reflecting that the attack vector is network-based with low attack complexity but requires high privileges (administrator) and no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. The impact includes limited confidentiality and integrity loss but no availability impact. There are currently no known exploits in the wild, and no official patches have been linked yet. The vulnerability is categorized under CWE-79, which concerns improper input validation leading to XSS attacks. This vulnerability is significant because it allows persistent script injection, which can be used for session hijacking, privilege escalation, or delivering further attacks within the affected WordPress environment.

For European organizations using the LatePoint plugin in multi-site WordPress environments or with restricted HTML capabilities, this vulnerability poses a moderate risk. An attacker with administrator access could inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive data, or manipulation of booking information. Given that administrator privileges are required, the threat vector is somewhat limited to insider threats or compromised admin accounts. However, the persistent nature of stored XSS means that once exploited, the attacker can maintain a foothold or conduct further attacks on users accessing the affected pages. This could disrupt business operations, damage reputation, and lead to data breaches, especially in sectors relying heavily on appointment scheduling such as healthcare, legal services, and customer support. The lack of availability impact reduces the risk of service disruption, but confidentiality and integrity concerns remain significant. Additionally, the multi-site limitation means that larger organizations or agencies managing multiple client sites are more at risk. The absence of known exploits in the wild suggests that immediate widespread attacks are unlikely but vigilance is necessary.

To mitigate this vulnerability, European organizations should: 1) Immediately audit their WordPress installations to identify if LatePoint plugin versions up to 5.1.94 are in use, particularly in multi-site configurations or where 'unfiltered_html' is disabled. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 3) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'service[name]' parameter. 4) Monitor logs for unusual administrator activity or unexpected script injections in booking pages. 5) Until an official patch is released, consider disabling the LatePoint plugin or limiting its use to single-site installations if feasible. 6) Educate administrators about the risks of stored XSS and the importance of input validation. 7) Regularly update WordPress core and plugins to the latest versions once patches become available. 8) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected domains. These steps go beyond generic advice by focusing on configuration specifics, access control, and compensating controls tailored to the plugin’s usage context.