Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
Published: 2025-12-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in ThimPress WP Hotel Booking allows a DOM‑Based Cross‑Site Scripting vulnerability. An attacker who can influence the content of the affected page could inject malicious JavaScript that executes in a victim’s browser. This could lead to credential theft, defacement, or session hijacking for site visitors or administrators.

Affected Systems

All installations of the WP Hotel Booking plugin developed by ThimPress, from the earliest available revision through version 2.2.8, are vulnerable. No specific sub‑version information is provided beyond the upper bound of 2.2.8.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. The EPSS score is less than 1 %, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, implying no confirmed exploits at the time of this analysis. Based on the description, the likely attack vector is a DOM‑Based XSS that requires the attacker to inject input that is rendered on the client side, possibly through form fields or URL parameters. No network‑level access is required, and the impact is limited to the browser running the affected page.

Generated by OpenCVE AI on April 29, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Hotel Booking plugin to version 2.2.9 or later.
  • If an immediate upgrade cannot be performed, temporarily disable or remove the plugin from the WordPress installation until a patch is released.
  • Configure a Content Security Policy that disallows inline script execution and only permits scripts from trusted sources.
  • Implement server‑side input sanitization for any user‑controlled parameters, ensuring that no unescaped user data reaches the browser.

Generated by OpenCVE AI on April 29, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
Title WordPress WP Hotel Booking plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability WordPress WP Hotel Booking plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress wp Hotel Booking
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress wp Hotel Booking
Wordpress
Wordpress wordpress

Wed, 10 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.
Title WordPress WP Hotel Booking plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Thimpress Wp Hotel Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:34:01.014Z

Reserved: 2025-10-24T14:25:34.657Z

Link: CVE-2025-63011

cve-icon Vulnrichment

Updated: 2025-12-10T11:20:43.248Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:06.583

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-63011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:30:12Z

Weaknesses