Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.
Technical ContextAI
The vulnerability stems from improper input validation and output encoding in the Booking Calendar plugin (CPE: cpe:2.3:a:wpdevart:booking_calendar,_appointment_booking_system:*:*:*:*:*:*:*:*), classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). This CWE category encompasses failures to properly sanitize or escape user-supplied data before rendering it in HTML contexts, allowing attackers to inject arbitrary HTML and JavaScript. WordPress plugins are particularly susceptible to this class of vulnerability when they fail to use proper escaping functions (such as esc_html(), esc_attr(), wp_kses_post()) on user inputs displayed in forms, settings pages, or booking confirmation pages. The 'Stored' variant is especially dangerous because the malicious payload persists in the database and affects all subsequent visitors who view the compromised content.
RemediationAI
Immediately upgrade the Booking Calendar and Appointment Booking System plugin to version 3.2.37 or the latest available release (verify at https://wordpress.org/plugins/booking-calendar/ or via the WordPress plugin dashboard). If an immediate patch is unavailable or delays are expected, apply input validation and output encoding hardening by reviewing booking form handlers and calendar display templates, ensuring all user inputs are sanitized with WordPress sanitization functions (sanitize_text_field(), sanitize_email()) and all outputs are escaped with appropriate escaping functions (esc_html(), esc_attr(), wp_kses_post()). As an interim measure, restrict access to the plugin's administrative and booking entry pages to trusted IP ranges using a Web Application Firewall (WAF) or server-level rules, and enable WordPress security plugins that detect and block XSS payloads. Monitor access logs for unusual form submissions containing HTML or JavaScript tags, and review recent booking submissions for suspicious scripts.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15726
GHSA-7v9h-m3cp-hqf4