Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
AnalysisAI
MyBookTable Bookstore WordPress plugin versions 3.6.0 and earlier allow authenticated high-privilege users to inject malicious scripts that are stored and executed in the browsers of other users, enabling stored cross-site scripting (XSS) attacks. The vulnerability requires admin-level authentication and user interaction from victims to trigger, limiting real-world exploitation scope despite network accessibility. EPSS probability is exceptionally low at 0.03%, reflecting the authentication and interaction barriers.
Technical ContextAI
This is a classic CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability in a WordPress plugin. The MyBookTable Bookstore plugin fails to properly sanitize or escape user-supplied input before rendering it in web pages. When an authenticated administrator injects malicious JavaScript through the plugin's interface, the input is stored in the database without neutralization. Upon subsequent page generation, the unescaped payload is reflected to users, executing in their browser context. WordPress plugins are server-side PHP applications typically running on Apache/Nginx with MySQL backends, and this XSS variant persists across sessions and user interactions.
RemediationAI
Update MyBookTable Bookstore plugin to the patched version released by zookatron (version number for patched release not specified in available data; consult WordPress.org plugin page or vendor advisory for exact fixed version). In WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate MyBookTable Bookstore, and click Update if available. Alternatively, download the latest version from https://wordpress.org/plugins/mybooktable/ or the vendor's official source. As a temporary workaround pending patching, restrict WordPress administrative user roles to trusted staff only and audit existing admin accounts for suspicious activity. Review plugin settings and any stored content for injected scripts. References: Patchstack database https://patchstack.com/database/Wordpress/Plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve and NVD CVE-2026-39604 advisory.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20234
GHSA-rccc-q8r5-67f9