Skip to main content

Booking Calendar Appointment Booking System CVE-2026-25435

| EUVDEUVD-2026-15726 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-7v9h-m3cp-hqf4
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15726
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.

Technical ContextAI

The vulnerability stems from improper input validation and output encoding in the Booking Calendar plugin (CPE: cpe:2.3:a:wpdevart:booking_calendar,_appointment_booking_system:*:*:*:*:*:*:*:*), classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). This CWE category encompasses failures to properly sanitize or escape user-supplied data before rendering it in HTML contexts, allowing attackers to inject arbitrary HTML and JavaScript. WordPress plugins are particularly susceptible to this class of vulnerability when they fail to use proper escaping functions (such as esc_html(), esc_attr(), wp_kses_post()) on user inputs displayed in forms, settings pages, or booking confirmation pages. The 'Stored' variant is especially dangerous because the malicious payload persists in the database and affects all subsequent visitors who view the compromised content.

RemediationAI

Immediately upgrade the Booking Calendar and Appointment Booking System plugin to version 3.2.37 or the latest available release (verify at https://wordpress.org/plugins/booking-calendar/ or via the WordPress plugin dashboard). If an immediate patch is unavailable or delays are expected, apply input validation and output encoding hardening by reviewing booking form handlers and calendar display templates, ensuring all user inputs are sanitized with WordPress sanitization functions (sanitize_text_field(), sanitize_email()) and all outputs are escaped with appropriate escaping functions (esc_html(), esc_attr(), wp_kses_post()). As an interim measure, restrict access to the plugin's administrative and booking entry pages to trusted IP ranges using a Web Application Firewall (WAF) or server-level rules, and enable WordPress security plugins that detect and block XSS payloads. Monitor access logs for unusual form submissions containing HTML or JavaScript tags, and review recent booking submissions for suspicious scripts.

Share

CVE-2026-25435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy