CVE-2026-8143
Stored XSS in HBook WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hbook | hbook | to 2.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The HBook plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1.6. This vulnerability exists because the plugin does not properly sanitize or escape input in the parameters 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso'.
As a result, an unauthenticated attacker can inject malicious scripts into pages, specifically the HBook Customers admin page, which will execute whenever a user accesses the infected page.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website. Because it is a stored XSS, the malicious code persists on the site and can affect multiple users.
- Attackers can steal sensitive information such as cookies or session tokens.
- It can lead to unauthorized actions performed on behalf of users.
- It may compromise the integrity and trustworthiness of the website.
- Since the vulnerability is exploitable without authentication, it increases the risk of widespread exploitation.