Fluent Booking

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Description

The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2026-2231

Source Wordfence

Published Mar 26, 2026 at 13:26

Modified Apr 8, 2026 at 16:46

Affected Product

Vendor techjewel

Product Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution

Affected Versions techjewel Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
    "published": "2026-03-26T13:26:06.173Z",
    "modified": "2026-04-08T16:46:19.413Z",
    "type": "cve",
    "title": "Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37441cc0-c43c-40e4-a170-1be59e112272?source=cve\nhttps://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L115\nhttps://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L448\nhttps://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Hooks/Handlers/FrontEndHandler.php#L864\nhttps://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L110\nhttps://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L440\nhttps://plugins.trac.wordpress.org/changeset/3463540/",
    "id": "CVE-2026-2231",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "techjewel Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution",
    "version": "0",
    "vendor": "techjewel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters_CVE-2026-2231