CVE-2025-63011 — Cross-site Scripting in WP Hotel Booking

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.9MEDIUMNVD

EPSS

0.1%

top 81.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Thimpress WP Hotel Booking

Timeline

PublishedDec 9

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.7 | Impact: 3.7

Affected Packages1 packages

▶CVEListV5thimpress/wp_hotel_booking2.2.8

🔴Vulnerability Details

GHSA

GHSA-4hwc-23r6-79m3: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allo↗2025-12-09

▶

CVEList

WordPress WP Hotel Booking plugin <= 2.2.8 - Cross Site Scripting (XSS) vulnerability↗2025-12-09

▶

🕵️Threat Intelligence

Wiz

CVE-2025-63011 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶