CVE-2026-1607

Name of the Vulnerable Software and Affected Versions Surbma | Booking.com Shortcode plugin for WordPress versions prior to 2.2

Description The plugin is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user supplied attributes within the surbma-bookingcom shortcode. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which execute when a user visits the affected page.

Recommendations Update the plugin to a version later than 2.1.