CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
What the vulnerability does
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Explanation of Vulnerability in Simple Terms
Fluent Booking versions 2.0.01 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the application. The vulnerability can be exploited remotely without authentication or user interaction. Affected sites may serve malicious content to visitors, potentially compromising user data or session tokens.
What an attacker can do
Inject malicious JavaScript that runs in visitors' browsers and steals session data or credentials.
Potential impact on your site
Visitors may have their sessions hijacked or credentials stolen; site reputation and user trust at risk.
Conditions required to exploit
Network access to the site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
