A high-severity vulnerability has been identified in the WPBookit plugin for WordPress, which could allow an attacker to inject malicious code into a website. This code executes in the browsers of website visitors, potentially leading to the theft of sensitive information, user account compromise, or redirection to malicious sites. Organizations using this plugin are at risk of data breaches and reputational damage.

This is a Stored Cross-Site Scripting (XSS) vulnerability. An authenticated attacker with access to the plugin's settings can inject malicious JavaScript code into the 'css_code' parameter. This malicious code is then stored in the website's database. When any user visits a page that renders this custom CSS, the malicious script will execute within their browser, compromising their session.

This is a High severity vulnerability with a CVSS score of 7.2. Successful exploitation could lead to significant business consequences, including the compromise of user and administrator accounts through session cookie theft, unauthorized actions performed on behalf of legitimate users, and the potential for a full website takeover if an administrator's session is hijacked. Further impacts include website defacement, theft of sensitive data submitted by users, and damage to the organization's reputation and user trust.

Immediate Action: Immediately update the WPBookit plugin to the latest patched version (greater than version 1) as recommended by the vendor. If the plugin is not essential for business operations, the recommended course of action is to disable and completely uninstall it to remove the attack vector.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's administrative pages, specifically looking for payloads containing script tags or other JavaScript in the 'css_code' parameter. Implement a Web Application Firewall (WAF) to detect and block common XSS attack patterns. Regularly scan the website's front-end code for any unauthorized or malicious scripts.

Compensating Controls: If patching cannot be performed immediately, implement a WAF with strict XSS filtering rules to block malicious input to the vulnerable parameter. Restrict access to the WordPress administrative dashboard, and specifically the WPBookit plugin settings, to only trusted, essential personnel.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the direct path to user and administrator account compromise, we strongly recommend that all organizations using the WPBookit plugin take immediate action. The primary remediation is to apply the security update provided by the vendor. Although this vulnerability is not currently listed on the CISA KEV catalog, its potential impact warrants urgent attention to prevent future exploitation.