CVE-2025-9346
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | booking_calendar | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9346 is a Stored Cross-Site Scripting (XSS) vulnerability in the Booking Calendar plugin for WordPress, affecting all versions up to and including 10.14.1. It occurs because the plugin does not properly sanitize and escape input in its settings, allowing authenticated users with Administrator-level access or higher to inject malicious web scripts. These scripts execute whenever a user views the affected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Administrator-level access to inject malicious scripts into the website's pages. When other users access these pages, the scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions performed on behalf of users. This can compromise the security and trustworthiness of the affected website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Booking Calendar plugin version is 10.14.1 or earlier, as these versions are vulnerable. Additionally, monitoring for suspicious POST requests containing color input parameters that are not properly sanitized could indicate exploitation attempts. Since the vulnerability involves Stored Cross-Site Scripting via settings, reviewing the plugin's settings pages for injected scripts or unusual content is recommended. Specific commands are not provided in the resources, but you can check the plugin version via WordPress CLI with `wp plugin get booking-calendar --field=version` and inspect POST requests using network monitoring tools or web application firewalls. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Booking Calendar plugin to version 10.14.2.2 or later, where the vulnerability is fixed by improved validation and sanitization of color input data received via POST requests. This update includes functions that sanitize color inputs to prevent injection of malicious scripts. Until the update is applied, restrict Administrator-level access to trusted users only and monitor for suspicious activity related to plugin settings. [1]