EUVD-2026-16172
GHSA-j5rh-qm82-j48c
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Analysis
Unauthenticated attackers can inject malicious scripts into Fluent Booking plugin for WordPress versions up to 2.0.01, enabling Stored Cross-Site Scripting attacks that execute in victim browsers whenever injected pages are accessed. The vulnerability stems from insufficient input sanitization across multiple parameters in LocationService.php, Booking.php, and FrontEndHandler.php. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable the Fluent Booking plugin or restrict access to booking forms via Web Application Firewall rules that block script injection patterns in form parameters. Within 7 days: Inventory all WordPress installations using Fluent Booking versions up to 2.0.01 and audit booking pages for evidence of injected scripts in database records and page content. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today