WordPress Plugin Vulnerabilities

Booking calendar, Appointment Booking System <= 3.2.36 - Unauthenticated Stored Cross-Site Scripting

Description

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
booking-calendar
No known fix

References

CVE
CVE-2026-25435
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/00ab5d7e-be38-42ea-befc-e1d91de13d1b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.2 (high)

Miscellaneous

Original Researcher
dragonzen
Verified
No
WPVDB ID
ba48b447-2f45-4411-bd9d-03039c3b847f

Timeline

Publicly Published
2026-03-18 (about 2 months ago)
Added
2026-03-26 (about 2 months ago)
Last Updated
2026-03-26 (about 2 months ago)

Other

Published
Title
Published
2026-02-13
Title
UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute
Published
2023-02-20
Title
Gutenberg Blocks by WordPress Download Manager < 2.1.9 - Contributor+ XSS
Published
2020-01-28
Title
SAML SP Single Sign On < 4.8.84 - Cross-Site Scripting (XSS) via Crafted SAML XML Response
Published
2024-03-25
Title
Carousel Slider < 2.2.7 - Editor+ Stored Cross-Site Scripting
Published
2025-01-02
Title
Plugin Oficial – Getnet para WooCommerce < 1.8.1 - Admin+ Stored XSS