Stored Cross-Site Scripting Vulnerability in Bookero.pl Online Reservation Plugin for WordPress
CVE-2026-6910

6.4MEDIUM

What is CVE-2026-6910?

The Bookero.pl Online Reservation Plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting through the bookero_products shortcode's hide_products and filter_products attributes. Due to inadequate input sanitization and output escaping within the bookero_products() function, attackers with contributor-level access can inject malicious web scripts directly into the pages. This injection occurs because the raw attribute values are concatenated into an inline <script> block without proper escaping, which then executes when a user visits the compromised page.

Affected Version(s)

Bookero.pl – system rezerwacji online 0 <= 2.2

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

zaim
.