CVE-2025-6941 is a stored Cross-Site Scripting (XSS) vulnerability affecting the LatePoint – Calendar Booking Plugin for Appointments and Events, a WordPress plugin widely used for managing bookings and events. The vulnerability arises from improper neutralization of input during web page generation, specifically via the 'id' parameter of the 'latepoint_resources' shortcode. In all versions up to and including 5.1.94, the plugin fails to adequately sanitize and escape user-supplied input, allowing authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. This malicious script is then stored persistently and executed whenever any user accesses the compromised page. The vulnerability is classified under CWE-79, indicating a failure to properly neutralize input leading to XSS. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable module. The impact includes partial confidentiality and integrity loss, as attackers can execute scripts in the context of other users, potentially stealing session tokens, performing actions on behalf of users, or defacing content. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is particularly concerning because it requires only Contributor-level access, which is a relatively low privilege level in WordPress, making it feasible for insider threats or compromised accounts to exploit. The persistent nature of the XSS increases the risk as multiple users may be affected over time. The vulnerability affects all versions of the plugin up to 5.1.94, which suggests a broad impact on installations that have not updated or patched the plugin.

For European organizations, especially those relying on WordPress websites with the LatePoint booking plugin, this vulnerability poses a significant risk. The ability for an authenticated user with Contributor-level access to inject persistent malicious scripts can lead to unauthorized access to sensitive customer data, session hijacking, and unauthorized actions performed on behalf of legitimate users. This can result in data breaches violating GDPR regulations, leading to legal penalties and reputational damage. Additionally, the exploitation of this vulnerability could undermine trust in online booking systems, disrupt business operations, and potentially facilitate further attacks such as phishing or malware distribution. Organizations in sectors like healthcare, education, hospitality, and professional services that use appointment booking systems are particularly vulnerable. The scope of impact extends beyond the initial compromised user, affecting administrators and other users who access the injected pages, thereby amplifying the potential damage. Given the medium severity and the ease of exploitation by relatively low-privileged users, European organizations must prioritize addressing this vulnerability to maintain compliance and protect customer data integrity.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately audit WordPress installations to identify the presence of the LatePoint plugin and verify the version in use. 2) Apply any available official patches or updates from the vendor as soon as they are released. In the absence of official patches, consider temporarily disabling the plugin or restricting access to the 'latepoint_resources' shortcode functionality. 3) Implement strict role-based access controls to limit Contributor-level privileges only to trusted users, minimizing the risk of malicious input injection. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'id' parameter of the shortcode. 5) Conduct regular security training for users with elevated privileges to recognize and avoid risky behaviors that could lead to exploitation. 6) Monitor logs and website content for unusual script injections or modifications indicative of exploitation attempts. 7) Consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts, thereby reducing the impact of potential XSS attacks. 8) Engage in proactive vulnerability scanning and penetration testing focused on WordPress plugins to identify and remediate similar issues promptly.