CVE-2025-31803: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Neteuro Turisbook Booking System WordPress plugin, affecting versions up to and including 1.3.7. The vulnerability was assigned CVE-2025-31803 and was publicly disclosed on April 1, 2025. The issue stems from insufficient input sanitization and output escaping in the plugin's functionality (WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires an authenticated user with contributor-level access or higher to exploit (Patchstack).

When successfully exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected content. This could enable malicious actors to inject scripts for redirects, advertisements, and other potentially harmful HTML payloads that execute when guests visit the affected site (WPScan, Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects Turisbook Booking System versions through 1.3.7, and users are advised to implement additional security measures while waiting for an official patch (NVD).

The vulnerability was initially discovered and reported by security researcher SOPROBRO on October 25, 2024, before being publicly disclosed by Patchstack on April 1, 2025 (Patchstack).