Platform
wordpress
Component
vagaro-booking-widget
Fixed in
0.3.1
CVE-2026-3003 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the Vagaro Booking Widget WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account takeover or defacement. The issue affects versions 0.0.0 through 0.3 of the plugin. A fix is expected from the vendor.
Successful exploitation of CVE-2026-3003 allows an attacker to inject and execute malicious JavaScript code within the context of the Vagaro Booking Widget. This can lead to a variety of attacks, including stealing user cookies, redirecting users to phishing sites, or modifying the appearance of the website. The attacker could potentially gain access to user accounts if they are tricked into entering sensitive information on a malicious page. The blast radius extends to any user who interacts with the vulnerable booking widget, regardless of their role or privileges.
CVE-2026-3003 was publicly disclosed on 2026-03-21. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on CISA KEV. The ease of exploitation is relatively high due to the lack of authentication required to inject the malicious script.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3003 is to upgrade the Vagaro Booking Widget plugin to a version containing the security fix. If upgrading is not immediately possible, consider temporarily disabling the plugin to prevent further exploitation. While a direct WAF rule is difficult to implement without knowing the specific injection patterns, carefully reviewing and sanitizing any user-supplied input to the 'vagaro_code' parameter is crucial. Monitor WordPress access logs for unusual activity or suspicious requests targeting the plugin’s endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3003 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Vagaro Booking Widget WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using versions 0.0.0 through 0.3 of the Vagaro Booking Widget plugin on your WordPress site.
Upgrade the Vagaro Booking Widget plugin to a patched version. If upgrading is not possible, temporarily disable the plugin.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Vagaro Booking Widget plugin repository or the WordPress plugin directory for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.