CVE-2025-7022: 
WordPress vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in My Reservation System plugin versions 2.3 and below. The vulnerability was publicly disclosed on July 4, 2025, and assigned the identifier CVE-2025-7022. The issue affects WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before outputting it back in the page. This vulnerability specifically exists in the plugin's preview.php file and can be exploited through the 'val' parameter. The vulnerability has been assigned a CVSS score of 7.1 (High), indicating significant security impact (WPScan).

When successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of high-privilege users such as administrators. This could potentially lead to unauthorized access, data theft, or further compromise of the WordPress installation (WPScan).

As of the disclosure date, there is no known fix available for this vulnerability. Website administrators running affected versions of My Reservation System should consider either removing the plugin or implementing additional security controls to restrict access to the affected functionality (WPScan).