CVE-2025-6941 is a stored cross-site scripting (XSS) vulnerability identified in the LatePoint Calendar Booking Plugin for WordPress, a popular tool used for managing appointments and events. The vulnerability exists in all versions up to and including 5.1.94 and is triggered via the 'id' parameter of the 'latepoint_resources' shortcode. The root cause is insufficient input sanitization and output escaping, which allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes whenever any user views the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low complexity and privileges of an authenticated contributor, but no user interaction is needed for the payload to execute once injected. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors or public-facing booking pages. Mitigation requires patching or implementing strict input validation and output encoding for the affected shortcode parameters.

For European organizations, the impact of CVE-2025-6941 can be significant, particularly for small and medium enterprises (SMEs) and service providers relying on WordPress-based booking systems. Exploitation could lead to session hijacking, unauthorized access to user accounts, defacement, or theft of sensitive customer data such as appointment details. This can damage organizational reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause operational disruptions. Since the vulnerability requires authenticated contributor access, insider threats or compromised contributor accounts increase risk. The persistent nature of stored XSS means multiple users can be affected over time, amplifying potential damage. Additionally, attackers could leverage the vulnerability as a foothold for further attacks within the network. The medium CVSS score reflects moderate but tangible risk, warranting prompt remediation to avoid exploitation.

European organizations should immediately upgrade the LatePoint plugin to a patched version once available. Until then, restrict Contributor-level access strictly to trusted users and review user roles to minimize privilege exposure. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'id' parameter of the 'latepoint_resources' shortcode. Conduct regular security audits and code reviews focusing on input validation and output encoding in custom shortcodes and plugins. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. Monitor logs for unusual activity related to booking pages and contributor accounts. Educate contributors on secure input practices and the risks of XSS. If patching is delayed, consider disabling the vulnerable shortcode or plugin temporarily to prevent exploitation. Finally, maintain up-to-date backups to enable rapid recovery if an attack occurs.