Stored Cross-Site Scripting Vulnerability in Bookero.pl Online Reservation Plugin for WordPress
CVE-2026-6910
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-6910?
The Bookero.pl Online Reservation Plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting through the bookero_products shortcode's hide_products and filter_products attributes. Due to inadequate input sanitization and output escaping within the bookero_products() function, attackers with contributor-level access can inject malicious web scripts directly into the pages. This injection occurs because the raw attribute values are concatenated into an inline <script> block without proper escaping, which then executes when a user visits the compromised page.
Affected Version(s)
Bookero.pl β system rezerwacji online 0 <= 2.2