{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9346", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-22T14:17:13.254Z", "datePublished": "2025-08-28T03:42:44.982Z", "dateUpdated": "2026-04-08T17:22:06.525Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:22:06.525Z"}, "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.14.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Booking Calendar <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca47486b-0761-48b8-94a7-77175ed5a37e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3348957/booking/trunk/core/any/class-admin-settings-api.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cody Sixteen"}], "timeline": [{"time": "2025-08-22T16:31:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-28T13:37:04.685742Z", "id": "CVE-2025-9346", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T14:49:12.818Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9346", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-28T13:37:04.685742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-28T13:37:07.690Z"}}], "cna": {"title": "Booking Calendar <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Cody Sixteen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpdevelop", "product": "Booking Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.14.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T16:31:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-27T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca47486b-0761-48b8-94a7-77175ed5a37e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3348957/booking/trunk/core/any/class-admin-settings-api.php"}], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:22:06.525Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9346", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:22:06.525Z", "dateReserved": "2025-08-22T14:17:13.254Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-28T03:42:44.982Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Booking Calendar para WordPress es vulnerable a cross-site scripting (XSS) almacenado a trav\u00e9s de la configuraci\u00f3n en todas las versiones hasta la 10.14.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de administrador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-9346", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-28T04:16:04.717", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3348957/booking/trunk/core/any/class-admin-settings-api.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca47486b-0761-48b8-94a7-77175ed5a37e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:47:20.767875+00:00", "value": {"mitigation_remediation": ["Upgrade the Booking Calendar plugin to the latest version that addresses the stored XSS vulnerability (any release beyond 10.14.1).", "If an immediate upgrade is not possible, restrict access to the plugin settings and options to administrator and super administrator roles, and consider disabling the plugin until a patch is applied.", "Use a web application firewall such as Wordfence to block potential XSS payloads and monitor for suspicious input in the plugin\u2019s configuration pages."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows injection of arbitrary scripts into pages viewed by site users"}, "threat_synthesis": {"affected_systems": "The flaw affects all versions of the Booking Calendar plugin by wpdevelop up to and including 10.14.1. Site owners running any of those releases on WordPress require remediation.", "description_and_impact": "The Booking Calendar WordPress plugin contains a stored XSS flaw that permits authenticated users with Administrator\u2011level privileges to inject arbitrary JavaScript into the plugin\u2019s settings. When a vulnerable page is loaded, the injected script runs in the context of any user who visits that page, providing an attacker with the possibility of session hijacking, credential theft, or defacement. This vulnerability resides in the input handling of the booking settings interface.", "risk_and_exploitability": "The CVSS base score is 6.4, indicating a medium\u2011to\u2011high risk. The EPSS score of less than 1\u202f% indicates that the probability of exploitation in the wild is low. Because the flaw requires authenticated access, the attack vector is limited to users who can log in with Administrator or higher level roles. Even though the vulnerability is not listed in the CISA KEV catalog, it remains a significant threat to sites that rely on this plugin because of its potential to impact many visitors."}}}}, "created": "2026-04-20T20:00:10.505412+00:00", "updated": "2026-04-20T20:00:10.505424+00:00", "vendors": []}