Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Reflected XSS.This issue affects Booking Ultra Pro: from n/a through <= 1.1.19.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper sanitisation of user input in Deetronix Booking Ultra Pro enables a reflected cross‑site scripting flaw. An attacker can exploit this by embedding JavaScript in request parameters that are echoed back in the generated web page. The injected script runs with the privileges of the victim user, potentially permitting session hijacking, credential theft, or defacement. This vulnerability is identified as CWE‑79 and carries a CVSS score of 7.1, indicating a medium‑to‑high risk for affected installations.

Affected Systems

It affects the Deetronix Booking Ultra Pro plugin for WordPress, versions from the earliest release through 1.1.19. Users running any of these versions should verify the currently installed version and compare it with the latest available release.

Risk and Exploitability

The CVSS metric indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability can be leveraged when a victim visits a crafted URL that contains unsanitised parameters, meaning that the attacker must first entice a target to click a malicious link or email. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalogue, which further signals limited exploitation activity observed publicly.

Generated by OpenCVE AI on May 1, 2026 at 09:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Deetronix Booking Ultra Pro to version 1.1.20 or later.
  • If an update is not yet available, enforce a Content Security Policy that disallows inline scripts and restricts execution of scripts from untrusted origins on all pages that load the plugin.
  • Conduct a comprehensive security review of all plugins and themes to identify and remediate additional reflected XSS or input validation issues.

Generated by OpenCVE AI on May 1, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11642 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro allows Reflected XSS. This issue affects Booking Ultra Pro: from n/a through 1.1.19.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro allows Reflected XSS. This issue affects Booking Ultra Pro: from n/a through 1.1.19. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Reflected XSS.This issue affects Booking Ultra Pro: from n/a through <= 1.1.19.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Deetronix Booking Ultra Pro allows Reflected XSS. This issue affects Booking Ultra Pro: from n/a through 1.1.19.
Title WordPress Booking Ultra Pro Plugin <= 1.1.19 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:48.880Z

Reserved: 2025-02-21T16:46:02.627Z

Link: CVE-2025-27345

cve-icon Vulnrichment

Updated: 2025-04-17T17:45:03.657Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:38.160

Modified: 2026-04-23T15:26:24.897

Link: CVE-2025-27345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses