CVE-2025-27345: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-27345 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the Booking Ultra Pro WordPress plugin versions up to and including 1.1.19. The vulnerability was discovered by Nguyen Xuan Chien and publicly disclosed on February 21, 2025. This security flaw stems from insufficient input sanitization and output escaping in the plugin's web page generation process (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Cross-Site Scripting) with a CVSS score of 6.1 (Medium). The security flaw allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. The issue specifically relates to improper neutralization of input during web page generation (WPScan, Mitre).

If successfully exploited, this vulnerability could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would then be executed when visitors access the compromised site (Patchstack).

The vulnerability has been patched in version 1.1.20 of the Booking Ultra Pro plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).