{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3003", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-23T04:28:42.702Z", "datePublished": "2026-03-21T03:26:51.576Z", "dateUpdated": "2026-04-08T17:02:19.050Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:19.050Z"}, "affected": [{"vendor": "vagaro", "product": "Vagaro Booking Widget", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018vagaro_code\u2019 parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a480473-ceae-4621-9b13-e0f0543c57e3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L230"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-03-20T15:05:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:48:57.866376Z", "id": "CVE-2026-3003", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:49:19.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3003", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:48:57.866376Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:49:15.962Z"}}], "cna": {"title": "Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code'", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "vagaro", "product": "Vagaro Booking Widget", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:05:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a480473-ceae-4621-9b13-e0f0543c57e3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L230"}], "descriptions": [{"lang": "en", "value": "The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018vagaro_code\u2019 parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:51.576Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3003", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:49:19.754Z", "dateReserved": "2026-02-23T04:28:42.702Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:51.576Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018vagaro_code\u2019 parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Vagaro Booking Widget para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'vagaro_code' en todas las versiones hasta la 0.3, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-3003", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:18.623", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vagaro-booking-widget/trunk/vagaro-booking-widget.php#L230"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a480473-ceae-4621-9b13-e0f0543c57e3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Vagaro Booking Widget", "source": "cna", "vendor": "vagaro"}, "product": "vagaro_booking_widget", "vendor": "vagaro"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:38:43.849902+00:00", "value": {"mitigation_remediation": ["Upgrade the Vagaro Booking Widget to a version newer than 0.3, if available.", "If an update is not available, remove or disable the plugin until a patch is issued.", "Review and restrict access to the vagaro_code field so that only trusted administrators can modify it, and validate any input to escape malicious HTML characters."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All deployments of the Vagaro Booking Widget plugin for WordPress, up to and including release 0.3, are affected. Any WordPress site that has installed one of these versions, especially those that expose the vagaro_code field to unauthenticated users or allow public editing of plugin settings, is vulnerable.", "description_and_impact": "The vagaro_booking_widget plugin for WordPress suffers from a stored cross\u2011site scripting flaw. An attacker can supply a malicious payload in the vagaro_code parameter, which the plugin fails to sanitise and escape before saving. The payload is persistently stored and later executed whenever any user views a page that includes the plugin\u2019s output, giving the attacker the ability to run arbitrary JavaScript in the victim\u2019s browser. This can lead to theft of session cookies, defacement, or other client\u2011side attacks.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.2, indicating significant severity. Because the attack does not require authentication and only needs the plugin to be installed, it is highly exploitable in practice. No EPSS score is available and the issue is not listed in the CISA KEV catalog, but the stored XSS nature makes it a high\u2011risk vector for compromising site visitors. Both the scope and impact remain contained to the affected site and its users; however, any attacker who can deliver a payload could steal credentials or hijack sessions for that site\u2019s audience."}}}}, "created": "2026-03-23T09:50:28.895254+00:00", "updated": "2026-03-25T14:42:01.972291+00:00", "vendors": ["vagaro", "vagaro$PRODUCT$vagaro_booking_widget", "wordpress", "wordpress$PRODUCT$wordpress"]}