CVE-2025-23653: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Form To Online Booking WordPress plugin versions through 1.0. The vulnerability, tracked as CVE-2025-23653, was discovered on January 16, 2025, and allows for Reflected XSS attacks (Patchstack).

The vulnerability is classified as a Reflected Cross-site Scripting (XSS) issue with a CVSS v3.1 base score of 7.1 (High). The technical assessment indicates that this is an unauthenticated vulnerability, meaning it can be exploited without requiring user authentication. The vulnerability is categorized under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The exploitation of this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately until an official fix becomes available (Patchstack).