CVE-2026-25435
Stored XSS in wpdevart Booking Calendar Allows Persistent Attacks
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdevart | booking_calendar | to 3.2.36 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-site Scripting (XSS) issue found in the wpdevart Booking calendar, Appointment Booking System plugin. It occurs due to improper neutralization of input during web page generation, which means that malicious scripts can be injected and stored by the application. When other users access the affected pages, these scripts can execute in their browsers.
How can this vulnerability impact me? :
The Stored XSS vulnerability can allow attackers to execute malicious scripts in the context of users visiting the affected booking calendar pages. This can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware to users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts into affected websites. Such vulnerabilities can lead to unauthorized access to user data or session hijacking, which may result in breaches of data protection requirements under regulations like GDPR or HIPAA.
Because the vulnerability enables execution of malicious code in the context of the affected website, it can compromise the confidentiality and integrity of user data, potentially violating compliance obligations related to protecting personal or sensitive information.
Immediate mitigation or patching is advised to reduce the risk of exploitation and help maintain compliance with security standards that require protection against such vulnerabilities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the WordPress Booking calendar, Appointment Booking System Plugin versions up to 3.2.36. Detection involves identifying malicious script injections in the plugin's input fields or stored data.
Since the vulnerability allows injection of malicious scripts that execute when a privileged user interacts with the site, detection can include monitoring for unusual script tags or suspicious payloads in the plugin's stored data or web pages.
Specific commands are not provided in the resources, but general approaches include:
- Using web vulnerability scanners that detect XSS vulnerabilities on the affected plugin pages.
- Manually inspecting input fields and stored content in the Booking calendar plugin for suspicious scripts.
- Using tools like curl or wget to fetch pages and grep for suspicious script tags or payloads.
- Monitoring web server logs for unusual requests or payloads targeting the plugin.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule provided by Patchstack to block attacks until an official patch is released.
Since no official patch is currently available, it is advised to:
- Apply Patchstackβs mitigation rule to protect the affected WordPress plugin.
- Limit privileged user interactions with the affected plugin until mitigation is in place.
- Monitor for updates and apply the official patch as soon as it becomes available.