CVE-2025-52787: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in EZiHosting Tennis Court Bookings WordPress plugin, identified as CVE-2025-52787. The vulnerability affects all versions up to and including 1.2.7, and was first reported on May 10, 2025, by security researcher Nguyen Xuan Chien. The vulnerability was publicly disclosed on July 7, 2025 (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and stems from insufficient input sanitization and output escaping in the Tennis Court Bookings plugin. The severity is rated as HIGH with a CVSS v3.1 base score of 7.1 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). The vulnerability requires user interaction but can be exploited by unauthenticated attackers (NVD, Patchstack).

If successfully exploited, this vulnerability allows attackers to inject malicious scripts that can execute when users visit the affected site. The impact includes potential injection of redirects, advertisements, and other HTML payloads that execute in the context of the victim's browser (Patchstack).

No official fix is currently available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks. Users are advised to either implement the Patchstack virtual patch or consider removing and replacing the plugin with a secure alternative (Patchstack).