CVE-2025-68852
Published: 20 February 2026
Summary
CVE-2025-68852 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-68852 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the webmuehle Court Reservation WordPress plugin (court-reservation). This issue impacts all versions from an unspecified starting point through 1.10.13. The vulnerability has a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.
Remote attackers without privileges can exploit this Reflected XSS by injecting malicious scripts into user-controlled input that is reflected back in the web page without proper neutralization. Exploitation requires tricking a user, such as a site administrator or authenticated visitor, into interacting with a crafted link or input (e.g., via phishing). Successful exploitation allows script execution in the victim's browser context, potentially leading to session hijacking, data theft, or other low-impact actions within the changed security scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/court-reservation/vulnerability/wordpress-court-reservation-manage-your-court-bookings-online-plugin-1-10-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the vulnerability, including specifics for versions like 1.10.8, with recommendations for mitigation through plugin updates beyond 1.10.13 or input sanitization workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207588
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.13.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the app (T1190) and is typically delivered via malicious links in phishing campaigns requiring user interaction (T1566.002, T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all user-supplied input before it is reflected in web responses, directly blocking the malicious script injection that defines this reflected XSS flaw.
Mandates filtering of information output by the system, neutralizing untrusted script content in dynamically generated pages before it reaches the victim's browser.
Provides mechanisms to detect and block malicious code (scripts) delivered via web requests or responses, limiting exploitation of the unsanitized input path.