WWordPress Vulnerability Database

Hong Kong Security Alert Booking Plugin XSS(CVE202625435)

Cross Site Scripting (XSS) in WordPress Booking calendar, Appointment Booking System Plugin
0
Shares
0
0
0
0
Plugin Name WordPress Booking calendar, Appointment Booking System Plugin
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-25435
Urgency Medium
CVE Publish Date 2026-03-20
Source URL CVE-2026-25435

Urgent: Cross‑Site Scripting (XSS) in Booking calendar / Appointment Booking System plugin (<= 3.2.35) — What WordPress Site Owners Need to Know (CVE‑2026‑25435)

Date: 18 March 2026

From the perspective of a Hong Kong security expert: this advisory summarises the XSS vulnerability impacting the Booking calendar / Appointment Booking System plugin (versions up to and including 3.2.35), assigned CVE‑2026‑25435 and scored CVSS 7.1. XSS issues are frequently weaponised quickly and can be chained into privilege escalation and account takeover. Treat this issue with urgency.

This post covers:

  • What the vulnerability is and why it matters;
  • Who is at risk and how attackers could leverage it;
  • Immediate steps to reduce exposure, including emergency mitigations you can apply today;
  • How a web application firewall (WAF) and virtual patching can help when no official plugin update exists;
  • Longer‑term hardening and incident response recommendations.

Note: As of the advisory published on 18 March 2026, no official plugin update had been posted for this specific issue. If an official patch is released, installing it should be the primary remediation. Until then, follow the guidance below.

Quick summary for non‑technical site owners

  • Risk: A Cross‑Site Scripting (XSS) vulnerability exists in Booking calendar / Appointment Booking System plugin versions ≤ 3.2.35 (CVE‑2026‑25435). CVSS: 7.1.
  • Impact: Attackers can inject JavaScript or other active content into pages viewed by administrators or privileged users. That script can exfiltrate cookies or tokens, perform actions as the victim, or load additional malware.
  • Urgency: High — XSS is often used in automated exploitation and can lead to account takeover.
  • Immediate actions: If a vendor patch exists, install it immediately. If not, consider disabling or uninstalling the plugin if practical, restrict admin access, enforce strong admin controls, and deploy WAF rules or virtual patches to block exploit payloads.

What exactly is XSS and why is this one serious?

Cross‑Site Scripting (XSS) occurs when an application includes untrusted input in web pages without proper validation or encoding. An attacker supplies input containing executable JavaScript (or other active content). When a victim (often an administrator) loads the affected page, the injected script runs with the victim’s browser privileges — it can read cookies, local storage, CSRF tokens, modify the DOM, or perform actions on behalf of the user.

Why this vulnerability is particularly concerning:

  • The vulnerability appears to be reachable without authentication for initial input, while exploitation commonly requires a privileged user to view or interact with the poisoned content. Attackers can therefore plant payloads publicly and wait for an admin to trigger them.
  • XSS can be a stepping stone to site takeover: exfiltrate admin sessions, create new admin users, alter settings, or install persistent backdoors.
  • Automated scanners and bots rapidly scan for public XSS vulnerabilities; exploitation campaigns often begin within hours to days of disclosure.

Who is at risk?

  • Websites running the Booking calendar / Appointment Booking System plugin with version 3.2.35 or older.
  • Sites where administrators or privileged users interact with plugin interfaces or any form input that may render adversarial content.
  • Sites with weak admin protections (no 2FA, shared or reused passwords) or publicly accessible admin dashboards.
  • Note: Installed but inactive plugins can sometimes leave endpoints or assets accessible; confirm removal if not in use.

How an attack might play out (attack flow)

  1. Attacker identifies sites running the vulnerable plugin via automated scanning.
  2. Attacker submits a crafted booking or form input, or crafts a URL that stores/refects malicious input where an admin will view it (e.g., booking details in wp-admin or user‑facing pages).
  3. An administrator or privileged user loads the affected page; injected JavaScript executes in their browser.
  4. The script exfiltrates session data, makes authenticated requests to create a new admin, or installs a backdoor.
  5. The attacker uses stolen sessions or backdoors to take control of the site.

Indicators of Compromise (IoCs) and detection tips

If you suspect exploitation, check for:

  • Unexpected JavaScript snippets in pages served from your site (encoded scripts,