Description
Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a classic Cross Site Scripting (XSS) vulnerability in the Fluent Booking plugin for WordPress, classified as CWE‑79. The plugin fails to properly validate or escape data supplied by a contributor, allowing an attacker to inject malicious script that will run in the browsers of anyone who views the affected page. Such injected script can be used to hijack user sessions, steal credentials, or deface content.

Affected Systems

WordPress sites that have installed the Fluent Booking plugin version 2.1.0 or earlier. The vulnerability is specific to the file handling or display functions coded by WPManageNinja LLC. Any deployment that has not updated to 2.1.1 or newer remains susceptible.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity exposure. The EPSS score is not available, so the overall probability of exploitation cannot be precisely quantified, but the lack of a KEV listing suggests no widespread active exploitation is documented. The attacker would need to supply malicious input through the booking interface or contributor access, which is likely reachable publicly or via authenticated users, making the attack path feasible if the site operates the vulnerable plugin.

Generated by OpenCVE AI on June 26, 2026 at 16:55 UTC.

Remediation

Vendor Solution

Update the WordPress Fluent Booking Plugin to the latest available version (at least 2.1.1).

OpenCVE Recommended Actions

  • Upgrade the Fluent Booking plugin to version 2.1.1 or later as released by WPManageNinja LLC
  • Ensure that the plugin’s input fields are validated and strictly escaped to prevent injection of arbitrary JavaScript
  • Review and sanitize any existing booking data that may have been stored using older plugin versions to eradicate stored XSS payloads

Generated by OpenCVE AI on June 26, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
Title WordPress Fluent Booking plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:42:33.907Z

Reserved: 2026-06-25T08:03:17.055Z

Link: CVE-2026-57638

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:42.453Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')