{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2231", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-08T20:23:42.165Z", "datePublished": "2026-03-26T13:26:06.173Z", "dateUpdated": "2026-04-08T16:46:19.413Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:19.413Z"}, "affected": [{"vendor": "techjewel", "product": "Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37441cc0-c43c-40e4-a170-1be59e112272?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L448"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Hooks/Handlers/FrontEndHandler.php#L864"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L440"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463540/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-02-08T20:45:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:09:12.206282Z", "id": "CVE-2026-2231", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:09:24.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2231", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:09:12.206282Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:09:19.631Z"}}], "cna": {"title": "Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "techjewel", "product": "Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.01"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-08T20:45:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37441cc0-c43c-40e4-a170-1be59e112272?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L115"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L448"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Hooks/Handlers/FrontEndHandler.php#L864"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L440"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463540/"}], "descriptions": [{"lang": "en", "value": "The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:19.413Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2231", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:19.413Z", "dateReserved": "2026-02-08T20:23:42.165Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T13:26:06.173Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Fluent Booking para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de m\u00faltiples par\u00e1metros en todas las versiones hasta la 2.0.01, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto posibilita que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2231", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T14:16:09.670", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Hooks/Handlers/FrontEndHandler.php#L864"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L440"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Models/Booking.php#L448"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/fluent-booking/trunk/app/Services/LocationService.php#L115"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3463540/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37441cc0-c43c-40e4-a170-1be59e112272?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.01]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution", "source": "cna", "vendor": "techjewel"}, "product": "fluent_booking_\u2013_the_ultimate_appointments_scheduling,_events_booking,_events_calendar_solution", "vendor": "techjewel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T15:03:12.671236+00:00", "value": {"mitigation_remediation": ["Update the Fluent Booking plugin to the latest available version (\u22652.0.02).", "If an update is not yet released, disable the plugin or the affected functions until a patch is available.", "Inspect the site for any injected malicious scripts and remove them promptly.", "Implement a web application firewall or use a security plugin that filters and sanitizes user input to mitigate similar risks."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting that allows arbitrary script execution on visitor browsers"}, "threat_synthesis": {"affected_systems": "Vendors: TechJewel. Product: Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution. All installed versions up to and including 2.0.01 are affected. Users running WordPress sites with this plugin should verify their version and apply updates accordingly.", "description_and_impact": "The Fluent Booking plugin is susceptible to stored cross\u2011site scripting via multiple input fields that fail to sanitize or escape user content. This flaw permits an unauthenticated attacker to embed malicious scripts, which will be rendered and executed when any visitor loads the affected page. The weakness aligns with CWE\u201179 and can compromise confidentiality, integrity, or availability by enabling session hijacking, phishing, or data exfiltration, as the injected code runs with the permissions of the visiting user.", "risk_and_exploitability": "The CVSS base score of 7.2 indicates a medium\u2011to\u2011high severity. The flaw is exploitable without authentication and can be triggered by any user who submits data to the vulnerable parameters, making it widely accessible. While EPSS data is unavailable, the nature of stored XSS coupled with its remote impact suggests a high likelihood of exploitation in practice. The vulnerability is not currently listed the CISA KEV catalog, but operators should treat it as a serious risk."}}}}, "created": "2026-03-27T08:34:18.671293+00:00", "updated": "2026-03-27T09:26:46.899969+00:00", "vendors": ["techjewel", "techjewel$PRODUCT$fluent_booking_\u2013_the_ultimate_appointments_scheduling,_events_booking,_events_calendar_solution", "wordpress", "wordpress$PRODUCT$wordpress"]}