Description
The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page).
Published: 2026-05-27
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows unauthenticated attackers to store malicious scripts by submitting values for the hb_country_iso, hb_usa_state_iso, and hb_canada_province_iso parameters. The supplied script is persisted in the HBook Customer admin page and will execute whenever a user views that page, granting an attacker arbitrary code execution within the WordPress environment.

Affected Systems

All installations of Omnivo Booking Calendar – Event Calendar for WordPress that run version 2.1.6 or earlier are vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Because the weakness is unauthenticated and relies on stored data, an attacker can inject script from any source, causing data theft, session hijacking, or site defacement. Typical exploitation involves submitting crafted parameter values through the plugin interface or via a crafted HTTP request, which the plugin then serves to visitors without sanitizing the content.

Generated by OpenCVE AI on May 27, 2026 at 09:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking Calendar – Event Calendar plugin to any release newer than 2.1.6; if no update exists, consider removing the plugin or disabling the affected parameters.
  • Use a Web Application Firewall or server rules to block or strip the hb_country_iso, hb_usa_state_iso, and hb_canada_province_iso parameters, rejecting any values that contain script tags or other disallowed content.
  • Implement input validation and output escaping for these parameters in custom code or with a security plugin, ensuring that any user‑supplied data is properly sanitized before storage and escaped before rendering.

Generated by OpenCVE AI on May 27, 2026 at 09:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Omnivo
Omnivo booking Calendar – Event Calendar
Wordpress
Wordpress wordpress
Vendors & Products Omnivo
Omnivo booking Calendar – Event Calendar
Wordpress
Wordpress wordpress

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page).
Title Booking Calendar – Event Calendar <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Omnivo Booking Calendar – Event Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:29:00.472Z

Reserved: 2026-05-07T20:39:17.716Z

Link: CVE-2026-8143

cve-icon Vulnrichment

Updated: 2026-05-27T10:28:55.445Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T08:16:45.317

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-8143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:39Z

Weaknesses