Description
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The WPBookit plugin contains a stored cross‑site scripting flaw caused by the lack of a capability check in the save_custome_code() function. Externally supplied data passed via the css_code parameter is persisted and rendered without proper sanitization, allowing an unauthenticated attacker to inject arbitrary JavaScript that will execute whenever a user views a page using the affected code.

Affected Systems

WordPress sites running the WPBookit plugin from iqonicdesign, any version up to and including 1.0.6, are affected.

Risk and Exploitability

With a CVSS score of 7.2 the vulnerability is classified as high severity. The EPSS score is below 1%, indicating a low current exploitation probability, and the condition is not present in the CISA KEV catalog. Attackers do not need any authentication or elevated privileges; they simply supply malicious content in the css_code field, which is then stored and later rendered to all site visitors. The tendency to remain unauthenticated on affected sites puts all visitors at risk of executing injected scripts.

Generated by OpenCVE AI on April 22, 2026 at 12:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPBookit plugin to the latest version where the capability check has been added.
  • If an upgrade is not immediately possible, temporarily disable the custom CSS feature or uninstall the WPBookit plugin until a patched version is available.
  • Monitor user sessions for signs of XSS exploitation and ensure the rest of the WordPress installation (core, themes, other plugins) is up to date to reduce the overall attack surface.

Generated by OpenCVE AI on April 22, 2026 at 12:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
Wordpress
Wordpress wordpress
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Iqonicdesign Wpbookit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:55.575Z

Reserved: 2025-10-23T20:58:43.149Z

Link: CVE-2025-12135

cve-icon Vulnrichment

Updated: 2025-11-24T16:41:21.848Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T08:15:52.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses