Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting vulnerability in the Booking Calendar plugin
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from insufficient input sanitization that permits attackers to inject malicious scripts into web page content. When stored, these scripts execute on the browsers of any user who views the affected content, potentially enabling account hijacking, defacement, or delivery of malware. This weakness aligns with the standard web-based injection flaw characterized as CWE‑79.

Affected Systems

The flaw resides in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin. All released versions up to and including 3.2.36 are compromised, regardless of the specific WordPress installation or user role.

Risk and Exploitability

With a CVSS score of 7.1, the threat is considered moderate to high. The exploit likelihood cannot be quantified due to missing EPSS data, but standard XSS exploitation techniques would suffice, especially if an attacker can originate input through the plugin’s booking or appointment interfaces. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation as of now.

Generated by OpenCVE AI on March 25, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking Calendar plugin to the latest available version (>= 3.2.37).
  • If an update is delayed, ensure all user‑supplied data is properly escaped or filtered before rendering.

Generated by OpenCVE AI on March 25, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevart
Wpdevart booking Calendar
Wpdevart booking Calendar, Appointment Booking System
Vendors & Products Wordpress
Wordpress wordpress
Wpdevart
Wpdevart booking Calendar
Wpdevart booking Calendar, Appointment Booking System

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36.
Title WordPress Booking calendar, Appointment Booking System plugin <= 3.2.36 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpdevart Booking Calendar Booking Calendar, Appointment Booking System
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.590Z

Reserved: 2026-02-02T12:53:40.963Z

Link: CVE-2026-25435

cve-icon Vulnrichment

Updated: 2026-03-25T20:05:06.000Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:50.730

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:40Z

Weaknesses