プラットフォーム
wordpress
コンポーネント
vagaro-booking-widget
修正版
0.3.1
CVE-2026-3003 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in the Vagaro Booking Widget WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to account takeover or defacement. The issue affects versions 0.0.0 through 0.3 of the plugin. A fix is expected from the vendor.
Successful exploitation of CVE-2026-3003 allows an attacker to inject and execute malicious JavaScript code within the context of the Vagaro Booking Widget. This can lead to a variety of attacks, including stealing user cookies, redirecting users to phishing sites, or modifying the appearance of the website. The attacker could potentially gain access to user accounts if they are tricked into entering sensitive information on a malicious page. The blast radius extends to any user who interacts with the vulnerable booking widget, regardless of their role or privileges.
CVE-2026-3003 was publicly disclosed on 2026-03-21. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on CISA KEV. The ease of exploitation is relatively high due to the lack of authentication required to inject the malicious script.
Websites utilizing the Vagaro Booking Widget plugin, particularly those with limited security hardening or those hosting shared WordPress instances, are at increased risk. Sites where the booking widget is prominently displayed or handles sensitive user data are especially vulnerable.
• wordpress / composer / npm:
grep -r 'vagaro_code' /var/www/html/wp-content/plugins/vagaro-booking-widget/• wordpress / composer / npm:
wp plugin list | grep 'vagaro-booking-widget'• wordpress / composer / npm:
wp plugin status | grep 'vagaro-booking-widget'disclosure
エクスプロイト状況
EPSS
0.08% (24% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3003 is to upgrade the Vagaro Booking Widget plugin to a version containing the security fix. If upgrading is not immediately possible, consider temporarily disabling the plugin to prevent further exploitation. While a direct WAF rule is difficult to implement without knowing the specific injection patterns, carefully reviewing and sanitizing any user-supplied input to the 'vagaro_code' parameter is crucial. Monitor WordPress access logs for unusual activity or suspicious requests targeting the plugin’s endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3003 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Vagaro Booking Widget WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using versions 0.0.0 through 0.3 of the Vagaro Booking Widget plugin on your WordPress site.
Upgrade the Vagaro Booking Widget plugin to a patched version. If upgrading is not possible, temporarily disable the plugin.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Vagaro Booking Widget plugin repository or the WordPress plugin directory for updates and advisories.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。