CVE-2026-2231
Stored XSS in Fluent Booking WordPress Plugin Allows Script Injection
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluent_booking | fluent_booking | to 2.0.01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Fluent Booking plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.0.01. This vulnerability arises because the plugin does not properly sanitize input or escape output for multiple parameters. As a result, an unauthenticated attacker can inject malicious web scripts into pages. These scripts will execute whenever any user accesses the infected page, potentially compromising user security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Fluent Booking plugin is a Stored Cross-Site Scripting (XSS) issue that allows unauthenticated attackers to inject arbitrary web scripts. This can lead to unauthorized access to user sessions, data theft, or manipulation of displayed content.
Such vulnerabilities can impact compliance with data protection regulations like GDPR and HIPAA because they may lead to unauthorized disclosure or alteration of personal data. Specifically, if attackers exploit the XSS vulnerability to steal user credentials or personal information, it could result in a breach of confidentiality and integrity requirements mandated by these standards.
However, the provided context and resources do not explicitly discuss or analyze the compliance impact of this vulnerability with respect to GDPR, HIPAA, or other common standards.
How can this vulnerability impact me? :
This Stored Cross-Site Scripting vulnerability can allow attackers to execute arbitrary scripts in the context of users visiting the affected pages. Because the vulnerability is exploitable by unauthenticated attackers, it can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware. The CVSS score of 7.2 indicates a high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the Fluent Booking WordPress plugin is a Stored Cross-Site Scripting (XSS) issue affecting all versions up to and including 2.0.01. It arises from insufficient input sanitization and output escaping on multiple parameters, allowing unauthenticated attackers to inject arbitrary scripts.
There is no explicit detection method or specific commands provided in the available resources or CVE description to identify exploitation attempts or presence of this vulnerability on your network or system.
Generally, detection of stored XSS vulnerabilities involves monitoring HTTP requests and responses for suspicious script injections, scanning plugin versions for known vulnerable releases, and using web application security scanners that can detect XSS payloads.
Since no direct commands or detection scripts are provided, you may consider checking the installed version of the Fluent Booking plugin on your WordPress site by running the following WP-CLI command to identify if it is vulnerable:
- wp plugin list --field=name,version | grep fluent-booking
If the version is 2.0.01 or earlier, the plugin is vulnerable. Additionally, manual inspection of pages that accept user input parameters related to booking locations or booking forms for injected scripts could help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Fluent Booking plugin to a version later than 2.0.01, such as version 2.0.05, which presumably includes fixes for this vulnerability.
Since the vulnerability is due to insufficient input sanitization and output escaping, ensuring that your WordPress installation and plugins are up to date is critical.
If immediate updating is not possible, consider temporarily disabling the Fluent Booking plugin to prevent exploitation.
Additionally, review and harden your web application firewall (WAF) rules to detect and block common XSS payloads targeting booking-related parameters.
Monitor your website for suspicious activity or unexpected script injections in booking pages.