We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Fluent Booking Plugin Vulnerability (CVE-2026-2231)

Nick Paliughi

Security Alert Summary

The Fluent Booking plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in multiple parameters in all versions up to, and including, 2.0.01. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject scripts that execute when affected pages are viewed.

CVE Details

  • CVE ID: CVE-2026-2231
  • Affected component: Fluent Booking plugin for WordPress
  • Affected versions: All versions up to, and including, 2.0.01
  • Published: March 26, 2026 at 2:16:09 PM UTC
  • Last modified: March 26, 2026 at 2:16:09 PM UTC
  • CVSS v3.1: Base Score 7.2 (HIGH) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No authentication required; privileges required: None; user interaction: None
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

This vulnerability is a stored cross-site scripting (XSS) issue arising from insufficient input sanitization and missing output escaping for multiple parameters used by the plugin. An attacker can submit crafted input that is stored by the plugin and later rendered into pages without proper encoding, causing arbitrary JavaScript to execute in the context of users viewing the affected pages.

The public references point to plugin code locations involved in request handling and data models, including app/Hooks/Handlers/FrontEndHandler.php and app/Models/Booking.php, as well as app/Services/LocationService.php. These references indicate where unsanitized input flows into output, though the CVE data does not provide a complete exploit chain or a single named endpoint. The root cause is a lack of adequate input validation and escaping at output time.

Impact is limited to what stored XSS typically allows: execution of attacker-controlled scripts in the browser of any user who views an injected page. Because the CVSS impacts are listed as Low for confidentiality and integrity and None for availability, the expected consequences are targeted theft of client-side secrets (cookies, tokens) or content manipulation visible to users, rather than full site takeover.

How This Could Impact Your Website

Consider a site where site owners, internal staff (editors or managers), and external contributors (contractors or customers making bookings) interact. If an attacker submits malicious content via a booking form or location input and that content is stored and later displayed to staff or customers without escaping, the injected script can run in their browsers when they view booking pages or related admin screens.

Practical consequences include exposure of session cookies or authentication tokens for users who view the injected content, unauthorized modification or display of page content, and increased risk of successful targeted phishing or social engineering using data harvested from affected pages. The impact aligns with the CVSS assessment: attacker-controlled script execution with limited confidentiality and integrity effects and no direct availability impact.

professional review: If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can submit content.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and logs for unusual behavior, including unexpected content submissions or page changes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Jobs for WordPress Plugin Vulnerability (CVE-2026-23806)
Next Post
WordPress Security Bulletin: LeadConnector Plugin Vulnerability (CVE-2026-1890)