Skip to main content

Mybooktable Bookstore CVE-2026-39604

| EUVDEUVD-2026-20234 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-rccc-q8r5-67f9
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
5.9 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20234
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.

AnalysisAI

MyBookTable Bookstore WordPress plugin versions 3.6.0 and earlier allow authenticated high-privilege users to inject malicious scripts that are stored and executed in the browsers of other users, enabling stored cross-site scripting (XSS) attacks. The vulnerability requires admin-level authentication and user interaction from victims to trigger, limiting real-world exploitation scope despite network accessibility. EPSS probability is exceptionally low at 0.03%, reflecting the authentication and interaction barriers.

Technical ContextAI

This is a classic CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability in a WordPress plugin. The MyBookTable Bookstore plugin fails to properly sanitize or escape user-supplied input before rendering it in web pages. When an authenticated administrator injects malicious JavaScript through the plugin's interface, the input is stored in the database without neutralization. Upon subsequent page generation, the unescaped payload is reflected to users, executing in their browser context. WordPress plugins are server-side PHP applications typically running on Apache/Nginx with MySQL backends, and this XSS variant persists across sessions and user interactions.

RemediationAI

Update MyBookTable Bookstore plugin to the patched version released by zookatron (version number for patched release not specified in available data; consult WordPress.org plugin page or vendor advisory for exact fixed version). In WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate MyBookTable Bookstore, and click Update if available. Alternatively, download the latest version from https://wordpress.org/plugins/mybooktable/ or the vendor's official source. As a temporary workaround pending patching, restrict WordPress administrative user roles to trusted staff only and audit existing admin accounts for suspicious activity. Review plugin settings and any stored content for injected scripts. References: Patchstack database https://patchstack.com/database/Wordpress/Plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve and NVD CVE-2026-39604 advisory.

Share

CVE-2026-39604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy