CVE-2026-3003
Published: 21 March 2026
Summary
CVE-2026-3003 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-3003 is a stored cross-site scripting (XSS) vulnerability in the Vagaro Booking Widget plugin for WordPress, affecting all versions up to and including 0.3. The flaw stems from insufficient input sanitization and output escaping of the 'vagaro_code' parameter, enabling attackers to inject arbitrary web scripts into pages. It is classified under CWE-79 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change.
Unauthenticated attackers can exploit this vulnerability remotely by submitting malicious payloads via the 'vagaro_code' parameter, which get stored and executed in the browsers of any users who subsequently access the affected pages. Successful exploitation allows script execution in the context of the site, potentially leading to session hijacking, defacement, or theft of sensitive data like credentials, with low confidentiality and integrity impacts but no availability disruption.
Advisories reference source code locations in the plugin at lines 104 and 230 of vagaro-booking-widget.php on the WordPress plugin trac, along with Wordfence threat intelligence detailing the vulnerability (ID: 7a480473-ceae-4621-9b13-e0f0543c57e3). No specific patch details are outlined beyond implying upgrades beyond version 0.3, with practitioners advised to review these sources for sanitization fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14185
Vulnerability details
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…
more
to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote script injection/execution (T1190, T1059.007), browser session hijacking/cookie theft (T1185, T1539), and defacement (T1491.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses insufficient input sanitization of the 'vagaro_code' parameter to prevent storage of malicious scripts in WordPress pages.
Enforces output filtering and escaping to block execution of injected scripts when users access affected pages.
Requires identification and correction of the stored XSS flaw through timely patching of the Vagaro Booking Widget plugin beyond version 0.3.