CVE-2025-62743
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
Analysis
Stored cross-site scripting (XSS) in MyBookTable Bookstore WordPress plugin version 3.6.0 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability exists in the web page generation process where user input is not properly neutralized before being stored and rendered. No public exploit code has been identified, and the EPSS score of 0.04% suggests low real-world exploitation probability despite the XSS classification.
Technical Context
The vulnerability is a stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the MyBookTable Bookstore WordPress plugin, which is a booking and table management system for restaurant and hospitality websites. The root cause is insufficient input sanitization and output encoding in the plugin's web page generation logic. When user-supplied data is stored in the database and subsequently rendered in HTML without proper escaping, attackers can inject malicious JavaScript code that persists and executes whenever the affected page is viewed by other users. WordPress plugins are executed within the WordPress core environment, so successful XSS exploitation can lead to unauthorized actions within the WordPress admin panel, data theft from site visitors, or malware distribution.
Affected Products
MyBookTable Bookstore WordPress plugin versions 3.6.0 and earlier are affected by this stored XSS vulnerability. The plugin is distributed via the WordPress plugin repository and can be identified by the CPE mapping for WordPress plugins. Users running version 3.6.0 or any prior release should apply available security updates. The Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability in version 3.5.5 and indicates the issue persists through version 3.6.0.
Remediation
Update the MyBookTable Bookstore WordPress plugin to a patched version higher than 3.6.0 as soon as it becomes available from the plugin developer or WordPress repository. Administrators should verify the plugin version in their WordPress dashboard (Plugins > Installed Plugins) and use the automatic update feature or manually download the latest version. Until a patched version is released, implement interim risk reduction measures: restrict plugin access to trusted administrators only by using role-based access controls, enable a Web Application Firewall (WAF) with XSS filtering rules, deploy Content Security Policy (CSP) headers to prevent inline script execution, and regularly audit user-generated content stored by the plugin. Monitor the Patchstack database entry and the WordPress plugin repository for security update notifications.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today