Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ameliabooking Booking System Trafft booking-system-trafft allows Stored XSS.This issue affects Booking System Trafft: from n/a through <= 1.0.14.
Published: 2025-08-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Booking System Trafft plugin contains a stored XSS flaw that fails to neutralize user‑supplied input before rendering it into web pages. The weakness, labeled CWE‑79, permits an attacker to inject and execute arbitrary JavaScript in the browsers of any visitor who views the affected content, potentially enabling session hijacking, defacement, or malicious downloads.

Affected Systems

Any WordPress site that uses the ameliabooking Booking System Trafft plugin version 1.0.14 or older is affected. The vulnerability applies to all installations that have not been updated beyond that version, whether the plugin was obtained from the WordPress repository or directly from ameliabooking.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate‑to‑high level of risk. The EPSS score of less than 1 % indicates a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. Because the flaw is a stored XSS that can be triggered via input accepted by the plugin, an attacker could compromise site visitors without needing authentication, making it a notable concern for site administrators.

Generated by OpenCVE AI on April 30, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking System Trafft plugin to the latest version once the vendor releases a fix.
  • If an update is not immediately available, deactivate or uninstall the plugin to eliminate the attack surface.
  • Add or strengthen a Content‑Security‑Policy header that blocks inline script execution, or otherwise restrict script sources to mitigate the XSS risk.

Generated by OpenCVE AI on April 30, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25920 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ameliabooking Booking System Trafft allows Stored XSS. This issue affects Booking System Trafft: from n/a through 1.0.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ameliabooking Booking System Trafft allows Stored XSS. This issue affects Booking System Trafft: from n/a through 1.0.14. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ameliabooking Booking System Trafft booking-system-trafft allows Stored XSS.This issue affects Booking System Trafft: from n/a through <= 1.0.14.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Ameliabooking
Ameliabooking booking System Trafft
Wordpress
Wordpress wordpress
Vendors & Products Ameliabooking
Ameliabooking booking System Trafft
Wordpress
Wordpress wordpress

Wed, 27 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ameliabooking Booking System Trafft allows Stored XSS. This issue affects Booking System Trafft: from n/a through 1.0.14.
Title WordPress Booking System Trafft Plugin <= 1.0.14 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Ameliabooking Booking System Trafft
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:36:09.851Z

Reserved: 2025-08-27T16:19:19.005Z

Link: CVE-2025-58213

cve-icon Vulnrichment

Updated: 2025-08-27T18:14:22.682Z

cve-icon NVD

Status : Deferred

Published: 2025-08-27T18:15:49.553

Modified: 2026-04-23T15:33:18.947

Link: CVE-2025-58213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses