CVE-2026-1945
Stored XSS in WPBookit Plugin Allows Arbitrary Script Injection
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpbookit | wpbookit | to 1.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This Stored Cross-Site Scripting vulnerability can allow attackers to inject malicious scripts into pages viewed by other users. The impact includes:
- Execution of arbitrary JavaScript in the context of the affected website.
- Theft of user session cookies or credentials.
- Redirection of users to malicious websites.
- Potential defacement or unauthorized actions performed on behalf of users.
Because the vulnerability can be exploited by unauthenticated attackers, it poses a significant risk to all users interacting with the affected plugin, potentially compromising user data and site integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "The vulnerability in WPBookit plugin (versions up to 1.0.8) is a Stored Cross-Site Scripting (XSS) via the 'wpb_user_name' and 'wpb_user_email' parameters due to insufficient input sanitization and output escaping."}, {'type': 'paragraph', 'content': 'Detection can focus on identifying pages or requests where these parameters are accepted and checking if malicious scripts can be injected and executed.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves injection of scripts in user-controllable fields, you can detect it by sending crafted payloads in the 'wpb_user_name' and 'wpb_user_email' parameters and observing if the payload executes when the page is accessed."}, {'type': 'list_item', 'content': "Use curl or similar tools to send HTTP POST or GET requests with XSS payloads in 'wpb_user_name' and 'wpb_user_email' parameters to the plugin's input endpoints."}, {'type': 'list_item', 'content': 'Example curl command to test injection: curl -X POST -d "wpb_user_name=<script>alert(1)</script>&[email protected]" https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=wpbookit_booking'}, {'type': 'list_item', 'content': 'Monitor the response or the rendered page for execution of the injected script (e.g., alert popup or script execution in browser developer tools).'}, {'type': 'paragraph', 'content': 'Additionally, scanning your WordPress installation for the plugin version can help identify if the vulnerable version (<=1.0.8) is installed.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and immediate mitigation step is to update the WPBookit plugin to version 1.0.9 or later, where the vulnerability has been fixed by implementing proper output escaping and input validation.'}, {'type': 'list_item', 'content': 'Update the WPBookit plugin to version 1.0.9 or newer as released on 23/02/2026.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable plugin functionality to prevent unauthenticated attackers from injecting scripts.'}, {'type': 'list_item', 'content': "Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via 'wpb_user_name' and 'wpb_user_email' parameters."}, {'type': 'list_item', 'content': 'Review and sanitize any stored data that may have been injected with malicious scripts to prevent execution when accessed.'}, {'type': 'paragraph', 'content': 'These steps will help mitigate the risk of stored XSS attacks until the plugin is updated.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The WPBookit plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0.8. This vulnerability arises because the plugin does not properly sanitize or escape user inputs in the 'wpb_user_name' and 'wpb_user_email' parameters. As a result, an unauthenticated attacker can inject malicious scripts that are stored and later executed whenever a user accesses the affected page."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.0.9 by implementing comprehensive output escaping using functions like `_.escape()` to sanitize user data before rendering it in the DOM, replacing unsafe jQuery `.html()` calls with safer `.text()` or `.empty()`, validating inputs with regular expressions, and ensuring AJAX responses properly escape user content. These changes prevent the injection and execution of arbitrary scripts.'}] [1]