PT-2026-56733 · Safistudio · Bookero.Pl – System Rezerwacji Online

Zaim

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-6910

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bookero products shortcode's hide products (and filter products) attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the bookero products() function — the raw attribute value is concatenated directly into an inline <script> block without any escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6910

Affected Products

Bookero.Pl – System Rezerwacji Online