Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Contributor authentication (PR:L) and mandatory admin interaction (UI:R) bound the attack surface; scope changes into victim browser session; no credible availability impact from XSS justifies removing A:L.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
AnalysisAI
Stored cross-site scripting in the Fluent Booking WordPress plugin (versions up to and including 2.1.0) enables authenticated contributors to inject arbitrary JavaScript into booking-related content that executes in the browser of any higher-privileged user who reviews or views that content. The CVSS Scope:Changed metric confirms the payload escapes the contributor's low-privilege context and compromises the browser session of editors or administrators, enabling session hijacking or unauthorized privileged actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account holding at minimum the Contributor role on a site running Fluent Booking version 2.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) accurately reflects the constrained but meaningful risk: the attack is network-delivered (AV:N) with low complexity (AC:L), but requires a low-privilege authenticated account (PR:L) and relies on a privileged user interacting with the malicious content (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a WordPress account with Contributor privileges on a site running Fluent Booking 2.1.0 or earlier, then submits a booking entry with a JavaScript payload embedded in a vulnerable input field. When an administrator navigates to the booking management interface to review or approve the entry, the script executes in the admin's browser, capturing session cookies or silently invoking privileged WordPress actions such as creating a rogue admin account. … |
| Remediation | Update Fluent Booking to the first release above version 2.1.0 that addresses this XSS; the exact fix version must be confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/fluent-booking/vulnerability/wordpress-fluent-booking-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve) or the WordPress plugin repository changelog, as no confirmed patch version is stated in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39754
GHSA-xqj2-5xg4-w8vj