CVE-2026-6910 Overview
CVE-2026-6910 is a Stored Cross-Site Scripting (XSS) vulnerability in the Bookero.pl online reservation system plugin for WordPress. The flaw affects all versions up to and including 2.2. The vulnerability resides in the bookero_products shortcode, specifically in the handling of the hide_products and filter_products attributes. The bookero_products() function concatenates raw attribute values directly into an inline <script> block without sanitization or output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript that executes in the context of any user who views the injected page.
Critical Impact
Authenticated contributors can inject persistent JavaScript that executes in visitors' browsers, enabling session theft, privilege escalation through admin-targeted payloads, and site defacement.
Affected Products
- Bookero.pl – system rezerwacji online plugin for WordPress
- All versions up to and including 2.2
- WordPress sites permitting contributor-level or higher user registration
Discovery Timeline
- 2026-07-09 - CVE-2026-6910 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-6910
Vulnerability Analysis
The vulnerability is classified as Stored Cross-Site Scripting under [CWE-79]. It stems from improper neutralization of input during web page generation within the bookero_products() function in libraries/bookero-front.php. The function processes the hide_products and filter_products shortcode attributes and injects them into an inline JavaScript block rendered on the page. Because the attribute values bypass both input sanitization and output escaping, an attacker can break out of the JavaScript string context and inject arbitrary code. The injected payload is stored persistently in post content and executes whenever any visitor loads the affected page.
Root Cause
The root cause is missing input validation and missing output escaping at the point where user-controlled shortcode attribute values are concatenated into a <script> element. Safe WordPress APIs such as esc_js(), wp_json_encode(), or sanitize_text_field() were not applied before the values reached the response body. Contributors in WordPress can save posts containing shortcodes, so any user at that role or above can plant the payload.
Attack Vector
An authenticated attacker with contributor privileges creates or edits a post containing the bookero_products shortcode. The attacker supplies a crafted hide_products or filter_products attribute containing a JavaScript string terminator followed by arbitrary code. When an administrator previews the post or any visitor accesses the published page, the injected script executes with the victim's session context. This enables cookie theft, forced administrative actions, or redirection to attacker-controlled infrastructure.
The vulnerable code path is documented in the WordPress Plugin Trac source and detailed in the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-6910
Indicators of Compromise
- Post or page content containing the bookero_products shortcode with hide_products or filter_products attributes that include quote characters, angle brackets, or JavaScript keywords such as alert, fetch, or document.cookie.
- Outbound HTTP requests from browsers rendering site pages to unknown external domains shortly after page load.
- Unexpected administrative account creation or privilege changes following contributor activity on the site.
Detection Strategies
- Scan the WordPress wp_posts table for shortcode attributes containing suspicious characters using SQL patterns targeting bookero_products.*hide_products and bookero_products.*filter_products.
- Deploy a web application firewall rule that inspects shortcode attribute values in POST requests to /wp-admin/post.php and /wp-admin/admin-ajax.php.
- Review edit history and revision logs for contributor-level accounts adding or modifying pages that include the vulnerable shortcode.
Monitoring Recommendations
- Monitor WordPress user role changes and new contributor account registrations, especially on sites with open registration.
- Log and alert on Content Security Policy violation reports referencing inline script execution on pages using the Bookero plugin.
- Track administrator session anomalies such as unexpected AJAX requests to wp-admin endpoints originating from front-end page views.
How to Mitigate CVE-2026-6910
Immediate Actions Required
- Update the Bookero.pl plugin to a version later than 2.2 once the vendor releases a patched build referenced in the WordPress changeset.
- Audit all posts and pages containing the bookero_products shortcode and remove any suspicious hide_products or filter_products attribute values.
- Review contributor and author accounts for unexpected registrations or suspicious content submissions.
Patch Information
A fix has been committed to the plugin's trunk branch as documented in the WordPress plugin repository changeset 3524452. Site administrators should upgrade to the fixed release once available through the WordPress plugin update channel. Refer to the Wordfence advisory for confirmation of fixed versions.
Workarounds
- Deactivate the Bookero.pl plugin until an updated version can be installed.
- Restrict contributor-level and above access to trusted users only, and disable open user registration in WordPress General Settings.
- Deploy a web application firewall rule to block shortcode attributes containing <script>, </script>, or JavaScript string-breaking characters in POST bodies targeting the post editor.
# WP-CLI: locate posts containing the vulnerable shortcode for manual review
wp db query "SELECT ID, post_title, post_status FROM wp_posts \
WHERE post_content LIKE '%bookero_products%' \
AND (post_content LIKE '%hide_products%' OR post_content LIKE '%filter_products%');"
# Disable open registration until patched
wp option update users_can_register 0
# Deactivate the plugin as an interim workaround
wp plugin deactivate bookeropl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

