Skip to main content

Fluent Booking CVE-2026-57638

| EUVDEUVD-2026-39754 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-xqj2-5xg4-w8vj
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor authentication (PR:L) and mandatory admin interaction (UI:R) bound the attack surface; scope changes into victim browser session; no credible availability impact from XSS justifies removing A:L.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:12 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.

AnalysisAI

Stored cross-site scripting in the Fluent Booking WordPress plugin (versions up to and including 2.1.0) enables authenticated contributors to inject arbitrary JavaScript into booking-related content that executes in the browser of any higher-privileged user who reviews or views that content. The CVSS Scope:Changed metric confirms the payload escapes the contributor's low-privilege context and compromises the browser session of editors or administrators, enabling session hijacking or unauthorized privileged actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise WordPress contributor account
Delivery
Craft booking entry with JavaScript XSS payload
Exploit
Submit malicious booking through Fluent Booking interface
Execution
Induce administrator to open and review booking
Persist
XSS executes in admin browser session
Impact
Steal session token or invoke privileged admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account holding at minimum the Contributor role on a site running Fluent Booking version 2.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) accurately reflects the constrained but meaningful risk: the attack is network-delivered (AV:N) with low complexity (AC:L), but requires a low-privilege authenticated account (PR:L) and relies on a privileged user interacting with the malicious content (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a WordPress account with Contributor privileges on a site running Fluent Booking 2.1.0 or earlier, then submits a booking entry with a JavaScript payload embedded in a vulnerable input field. When an administrator navigates to the booking management interface to review or approve the entry, the script executes in the admin's browser, capturing session cookies or silently invoking privileged WordPress actions such as creating a rogue admin account. …
Remediation Update Fluent Booking to the first release above version 2.1.0 that addresses this XSS; the exact fix version must be confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/fluent-booking/vulnerability/wordpress-fluent-booking-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve) or the WordPress plugin repository changelog, as no confirmed patch version is stated in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57638 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy