CVE-2026-6910 in Bookero.pl Plugininfo

Summary

by MITRE • 07/09/2026

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `bookero_products` shortcode's `hide_products` (and `filter_products`) attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the `bookero_products()` function — the raw attribute value is concatenated directly into an inline `<script>` block without any escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability in Bookero.pl plugin represents a critical stored cross-site scripting weakness that undermines the security posture of WordPress installations relying on this booking system. This flaw exists within the `bookero_products()` function where the `hide_products` and `filter_products` attributes are processed without proper sanitization or escaping mechanisms. The vulnerability affects versions up to and including 2.2, creating a persistent threat vector that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The attack surface is particularly concerning as it allows malicious actors to inject arbitrary JavaScript code directly into the plugin's shortcode processing logic.

The technical execution of this vulnerability occurs through the direct concatenation of raw user input into inline javascript blocks without appropriate escaping or sanitization procedures. When an attacker provides malicious payload through the `hide_products` or `filter_products` parameters, these values are immediately incorporated into generated HTML output without any filtering or encoding. This primitive handling of user-supplied data creates a persistent XSS vector that can be triggered whenever pages containing the affected shortcode are accessed by any user with appropriate privileges. The vulnerability manifests as stored XSS because the malicious code is saved within the plugin's processing logic rather than being executed only during the initial request.

The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform a wide range of malicious activities including session hijacking, data exfiltration, and privilege escalation. Authenticated attackers can leverage this vulnerability to execute arbitrary scripts in the context of other users' browsers, potentially compromising their sessions or stealing sensitive information. The attack requires minimal privileges but can cause significant damage as contributors typically have access to modify content and settings within WordPress installations. This makes the vulnerability particularly dangerous in multi-user environments where different privilege levels exist.

From a cybersecurity perspective, this vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in software applications. The weakness demonstrates poor input validation and output escaping practices that violate fundamental security principles. According to ATT&CK framework, this represents a technique for code injection and privilege escalation through web application vulnerabilities. Organizations should implement immediate mitigations including patching to the latest plugin version, implementing strict input validation for shortcode attributes, and applying proper output encoding for all dynamic content. Additionally, network monitoring should be enhanced to detect suspicious script injections and access patterns that may indicate exploitation attempts.

Responsible

Wordfence

Reservation

04/23/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!