Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7.
Published: 2025-11-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation allows stored cross‑site scripting in the Booking Calendar plugin, which can cause injected scripts to be rendered when booking information is displayed.

Affected Systems

The vulnerability affects all installations of the wpdevelop Booking Calendar plugin running version 10.14.7 or earlier; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high severity, while the EPSS score below 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves creating or editing a booking entry with malicious input; the offending script is then stored and executed for any user that later views that booking. Exploitation requires the ability to write booking content, so full site control is not mandatory.

Generated by OpenCVE AI on April 29, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking Calendar plugin to version 10.14.8 or newer.
  • If upgrading is not immediately possible, limit the ability to create or modify bookings to trusted administrators only.
  • Configure a web application firewall to block or sanitize web requests containing script tags or other typical XSS payloads.

Generated by OpenCVE AI on April 29, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 17 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 17 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevelop
Wpdevelop booking Calendar
Vendors & Products Wordpress
Wordpress wordpress
Wpdevelop
Wpdevelop booking Calendar

Thu, 13 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7.
Title WordPress Booking Calendar plugin <= 10.14.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpdevelop Booking Calendar
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:32:44.923Z

Reserved: 2025-10-31T11:25:32.710Z

Link: CVE-2025-64381

cve-icon Vulnrichment

Updated: 2025-11-17T19:06:14.604Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T10:15:54.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:45:12Z

Weaknesses