Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
Description
The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated stored XSS in Booking Calendar plugin before 9.7.3.1 allows attackers to inject malicious scripts viewed by administrators.
Vulnerability
The Booking Calendar WordPress plugin before version 9.7.3.1 fails to sanitize and escape booking form data. Unauthenticated users can submit payloads that are stored and later executed when administrators view the data. [1]
Exploitation
An unauthenticated attacker can craft a malicious booking submission containing JavaScript code. When the site administrator accesses the booking management page, the payload executes. [1]
Impact
Successful exploitation leads to stored cross-site scripting, allowing the attacker to execute arbitrary JavaScript in the context of the admin's browser. This can lead to theft of session cookies, privilege escalation, or further compromise. [1]
Mitigation
Update to version 9.7.3.1 or later, which fixes the issue. No workarounds are mentioned. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.7.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping of booking form data allows unauthenticated stored XSS."
Attack vector
An unauthenticated attacker submits a booking form containing malicious JavaScript in fields that are not sanitized or escaped by the plugin [ref_id=1]. The payload is stored in the database and later rendered in the WordPress admin interface. When an administrator views the affected booking data, the injected script executes in their browser session [CWE-79]. No authentication is required to submit the malicious payload, and the attack targets administrators who manage bookings.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the Booking Calendar plugin's handling of booking form data prior to version 9.7.3.1 [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 9.7.3.1 [ref_id=1]. No patch diff is provided in the bundle, but the fix would involve properly sanitizing booking form input on submission and escaping output when rendering booking data in the admin interface. This prevents unauthenticated users from injecting arbitrary HTML or JavaScript that would execute in an administrator's browser.
Preconditions
- configThe Booking Calendar plugin must be installed and active with a version before 9.7.3.1
- networkThe attacker must have network access to the WordPress site's booking form
- inputAn administrator must view the stored booking data in the admin interface
Reproduction
The advisory at [ref_id=1] states a proof of concept exists but does not include reproduction steps in the extracted text. No reproduction steps are available in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/084e9494-2f9e-4420-9bf7-78a1a41433d7mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.