Skip to main content

Booking Manager CVE-2026-42751

| EUVDEUVD-2026-32201 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-4xv4-q83h-8j9x
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:39 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.18.

AnalysisAI

Stored XSS in the Booking Manager WordPress plugin (wpdevelop) versions through 2.1.18 allows authenticated low-privileged users to inject persistent malicious scripts that execute in other users' browsers. The CVSS scope change (S:C) indicates injected scripts can affect resources beyond the plugin itself - most critically, administrator sessions viewing booking data. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals minimal observed exploitation interest currently.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the plugin fails to sanitize or escape user-supplied input before storing it and later rendering it in HTML output. In WordPress stored XSS, attacker-controlled input is persisted to the database via a booking-related form field and later served unescaped to any visitor loading the affected page. The CVSS scope change (S:C) is characteristic of WordPress plugin XSS where the injected script executes in the browser context of higher-privileged users - typically site administrators - giving the attacker cross-context impact beyond the plugin's own trust boundary. No CPE strings were provided in the input data; the affected product is identified from the NVD description and EUVD-2026-32201 as the wpdevelop Booking Manager plugin for WordPress.

RemediationAI

Update the Booking Manager plugin to a version above 2.1.18 as soon as a patched release is published. Check the WordPress plugin repository for an updated release and verify the changelog confirms this CVE is addressed. Note: the available input data does not confirm a specific patched version number - the fix version has not been independently verified from this dataset. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/booking-manager/vulnerability/wordpress-booking-manager-plugin-2-1-18-cross-site-scripting-xss-vulnerability for updated patch status. As an interim compensating control, restrict booking submission capabilities to trusted, vetted user accounts only - removing the ability for untrusted low-privileged users (e.g., subscribers, unapproved customers) to submit booking forms will eliminate the injection vector, at the trade-off of requiring manual booking intake. Additionally, a WordPress WAF rule targeting stored XSS patterns in booking form inputs (available via Patchstack Firewall or Wordfence) can block exploitation without disabling functionality.

Share

CVE-2026-42751 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy