CVE-2026-3003
Stored XSS in Vagaro Booking Widget WordPress Plugin Allows Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vagaro | vagaro_booking_widget | to 0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the ‘vagaro_code’ parameter in all versions up to and including 0.3.
This vulnerability occurs because the plugin does not properly sanitize input or escape output, allowing attackers to inject arbitrary web scripts.
These malicious scripts are stored and then executed whenever a user accesses a page containing the injected code.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to inject malicious scripts into web pages that users visit.
When users access these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.
The CVSS score of 7.2 indicates a high severity, with low attack complexity and no need for user interaction, meaning it is relatively easy for attackers to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the 'vagaro_code' parameter in the Vagaro Booking Widget plugin for WordPress. Detection involves checking if the plugin version is 0.3 or earlier and if the 'vagaro_code' parameter is susceptible to injection."}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of malicious scripts, you can search your WordPress database for suspicious or unexpected script tags or JavaScript code in the 'code' column of the 'vagaro' table."}, {'type': 'list_item', 'content': "Use a database query to inspect the 'code' field for injected scripts, for example (replace wp_ with your database prefix):"}, {'type': 'list_item', 'content': "SELECT id, businessName, code FROM wp_vagaro WHERE code LIKE '%<script>%';"}, {'type': 'list_item', 'content': "Check the WordPress page titled 'Book 24/7' that uses the shortcode [vagaro_booking_widget] for any unexpected script execution."}, {'type': 'list_item', 'content': "Monitor HTTP requests to pages containing the booking widget for suspicious payloads in the 'vagaro_code' parameter."}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the Vagaro Booking Widget plugin to a version later than 0.3 where the vulnerability is fixed, if available.'}, {'type': 'list_item', 'content': 'If an update is not available, consider disabling or deactivating the plugin to prevent exploitation.'}, {'type': 'list_item', 'content': "Manually sanitize and remove any malicious scripts found in the 'code' field of the 'vagaro' database table."}, {'type': 'list_item', 'content': 'Restrict access to the WordPress admin interface to trusted users only.'}, {'type': 'list_item', 'content': "Implement Web Application Firewall (WAF) rules to block suspicious payloads targeting the 'vagaro_code' parameter."}] [2]