CVE-2026-57638
Deferred Deferred - Pending Action
Contributor Cross Site Scripting in Fluent Booking

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Contributor Cross Site Scripting (XSS) in Fluent Booking <= 2.1.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57638
EUVD
EUVD-2026-39754
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpbeaverbuilder fluent_booking to 2.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Fluent Booking Plugin, versions 2.1.0 and below, is vulnerable to a Cross Site Scripting (XSS) attack. This means that attackers can inject malicious scripts into websites using this plugin. These scripts could execute unwanted actions such as redirects or displaying advertisements when visitors access the site.

Exploitation requires a privileged user to perform an action like clicking a malicious link or submitting a form, which then triggers the malicious script.

The vulnerability has a CVSS score of 6.5, indicating a moderate severity level, and was fixed in version 2.1.1 of the plugin.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious scripts into your website if you use the vulnerable versions of the Fluent Booking plugin.

  • Attackers could cause unwanted redirects for your visitors.
  • Malicious advertisements or other harmful HTML payloads could be executed on your site.

Such actions can degrade user trust, harm your website’s reputation, and potentially lead to further security issues.

Successful exploitation requires a privileged user to interact with malicious content, so limiting user privileges and updating the plugin are important mitigations.

Detection Guidance

This vulnerability affects the WordPress Fluent Booking Plugin versions 2.1.0 and below. Detection involves identifying if your system is running a vulnerable version of this plugin.

You can check the installed version of the Fluent Booking plugin on your WordPress site by running commands to list installed plugins and their versions.

  • Use WP-CLI command: wp plugin list | grep fluent-booking
  • Alternatively, check the plugin version in the WordPress admin dashboard under Plugins.

Since this is a Cross Site Scripting (XSS) vulnerability requiring a privileged user action, monitoring for suspicious input or script injection attempts in web logs or application logs may help detect exploitation attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to update the Fluent Booking plugin to version 2.1.1 or later, where this vulnerability is patched.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins can help ensure timely patching.

Additionally, restrict privileged user actions and educate users to avoid clicking suspicious links or submitting untrusted forms to reduce the risk of exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart