Cross-site Scripting Vulnerability in Booking Manager by wpdevelop
CVE-2026-42751

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Booking Manager
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42751?

The Booking Manager plugin by wpdevelop has a vulnerability that allows for stored Cross-site Scripting (XSS) attacks. This issue arises due to improper neutralization of input during the web page generation process. Attackers can exploit this vulnerability to inject malicious scripts that are stored on the server and executed in the context of users accessing affected pages. Such exploitation can lead to unauthorized actions and data exposure, compromising the security of websites utilizing this plugin, particularly in versions up to 2.1.18.

Affected Version(s)

Booking Manager 0 <= 2.1.18

References

https://patchstack.com/database/Wordpress/Plugin/booking-...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

dodoh4t | Patchstack Bug Bounty Program

CVE-2026-42751 Data

JSON