CVE-2025-9346 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Booking Calendar plugin for WordPress, developed by wpdevelop. This vulnerability affects all versions up to and including 10.14.1. The root cause is insufficient sanitization of user input and inadequate output escaping within the plugin's settings interface. Authenticated attackers possessing Administrator-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into plugin-managed pages. Because the malicious script is stored persistently, it executes every time any user visits the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed, as the vulnerability can affect other users beyond the attacker. No known public exploits have been reported yet. The vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. This issue highlights the importance of rigorous input validation and output encoding in web applications, especially plugins that extend CMS functionality. Since WordPress powers a significant portion of the web, and Booking Calendar is a popular plugin, this vulnerability could have widespread implications if exploited.

The primary impact of CVE-2025-9346 is on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable site, which can lead to session hijacking, theft of sensitive information, unauthorized actions performed with the victim's privileges, and potential defacement or redirection to malicious sites. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe. Since exploitation requires Administrator-level access, the threat is typically internal or from compromised admin accounts, but the scope of impact extends to all users visiting the injected pages. Organizations relying on the Booking Calendar plugin may face data leakage, loss of user trust, and compliance issues if the vulnerability is exploited. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often target popular CMS plugins. The medium CVSS score reflects moderate risk but should not lead to complacency given the potential for privilege escalation and persistent attacks.

To mitigate CVE-2025-9346, organizations should immediately update the Booking Calendar plugin to a patched version once released by wpdevelop. Until a patch is available, restrict plugin access strictly to trusted administrators and review all admin accounts for suspicious activity or unauthorized access. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the plugin's settings pages. Conduct thorough input validation and output encoding on any custom code interacting with the plugin. Regularly audit the plugin's stored data for injected scripts and remove any suspicious content. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate administrators on the risks of stored XSS and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. Monitor logs for unusual administrative actions and page content changes. Finally, consider isolating or disabling the plugin temporarily if it is not critical to operations until a secure version is deployed.