CVE-2025-4669 in WP Booking Calendar Plugin
Summary
by MITRE • 05/17/2025
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/17/2025
The WP Booking Calendar plugin represents a critical vulnerability in the WordPress ecosystem through CVE-2025-4669, which manifests as a stored cross-site scripting flaw affecting versions up to and including 10.11.1. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, specifically the wpbc shortcode functionality that processes user-supplied attributes. The flaw exists in the core plugin architecture where user inputs are not properly validated or escaped before being stored and subsequently rendered in web pages, creating a persistent vector for malicious code injection that can affect any user who accesses affected content.
The technical exploitation of this vulnerability requires an authenticated attacker possessing contributor-level privileges or higher within the WordPress environment, which significantly reduces the attack surface compared to vulnerabilities requiring administrator access. However, the impact remains severe as the stored nature of the XSS means that malicious scripts persist in the database and execute automatically whenever any user accesses the compromised pages. The vulnerability directly maps to CWE-79, which defines Cross-Site Scripting as a weakness where untrusted data is used to generate web pages without proper validation or escaping, and aligns with ATT&CK technique T1566.001 for the initial compromise phase through malicious content injection. The wpbc shortcode serves as the attack vector where user attributes are processed without adequate sanitization, allowing attackers to embed malicious JavaScript payloads that can execute in the context of other users' browsers.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform session hijacking, steal sensitive cookies, redirect users to malicious sites, or even escalate privileges within the WordPress environment. When authenticated users access pages containing the injected malicious code, their browsers execute the scripts in their context, potentially compromising their sessions and allowing for further exploitation. The stored nature of the vulnerability means that the malicious code remains persistent until manually removed by administrators, creating a long-term threat vector that can affect multiple users over extended periods. This vulnerability particularly impacts businesses relying on booking systems where contributors may have legitimate access to modify content, making the attack surface more accessible than initially apparent.
Mitigation strategies for CVE-2025-4669 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies, while also implementing additional security controls such as role-based access restrictions to limit contributor privileges where possible. Organizations should consider implementing content security policies to prevent execution of unauthorized scripts, and conduct thorough security audits of all active plugins to identify similar vulnerabilities. The vulnerability demonstrates the importance of proper input validation and output escaping practices as outlined in OWASP Top 10 and other security frameworks, emphasizing that even seemingly benign plugins can serve as attack vectors when proper security measures are not implemented. Regular security monitoring and vulnerability scanning should be implemented to detect similar issues in other plugins, as the attack surface for stored XSS vulnerabilities remains significant in content management systems where user input is processed and stored.