CVE-2025-63011

MEDIUM
2025-12-09 [email protected]
WordPress PHP XSS
5.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.9

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.

AnalysisAI

DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

Technical ContextAI

This is a DOM-based cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the WP Hotel Booking WordPress plugin. DOM-based XSS occurs when untrusted user input is processed on the client side without proper sanitization and reflection back into the page's Document Object Model, allowing attackers to inject executable JavaScript. The vulnerability requires high-privilege authenticated access (administrator level) to the WordPress admin panel, meaning an attacker must already have significant control over the site. The attack vector is network-based but depends on social engineering or phishing to trick an administrator into clicking a malicious link.

Affected ProductsAI

ThimPress WP Hotel Booking WordPress plugin from version 0.0.0 through version 2.2.8 is affected. The vulnerability impacts all installations of this plugin up to and including the 2.2.8 release. More information is available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-scripting-xss-vulnerability.

RemediationAI

Update the WP Hotel Booking plugin to version 2.2.9 or later. Site administrators should navigate to the WordPress Plugins dashboard, locate WP Hotel Booking, and apply the available update. For sites unable to update immediately, restrict administrative access to trusted users only and monitor admin audit logs for suspicious activity. Consult the plugin vendor's security advisory at https://patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/ for additional guidance and verification that the installed version is no longer vulnerable.

Share

CVE-2025-63011 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy