Bookero.pl WordPress Plugin Stored Cross-Site Scripting Vulnerability
The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `bookero_products` shortcode's `hide_products` (and `filter_products`) attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the `bookero_products()` function — the raw attribute value is concatenated directly into an inline `<script>` block without any escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Quick answer
Bookero.pl - system rezerwacji online should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Bookero.pl - system rezerwacji online up to and including 2.2
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Bookero.pl is affected by CVE-2026-6910. Vulnerable versions up to 2.2 allow stored cross-site scripting because shortcode attributes are concatenated into inline JavaScript without sufficient escaping. Patch and clean stored content that may contain script payloads.
- Inventory WordPress sites using Bookero.pl.
- Update Bookero.pl beyond 2.2 when a fixed release is available.
- Temporarily restrict contributor/subscriber content submission if patching is delayed.
- Review plugin fields, shortcode attributes, profile links, and stored records for injected script payloads.
- Remove malicious content and purge page, object, and CDN caches.
- Apply a Content Security Policy where compatible to reduce XSS impact.
- Review administrator sessions if privileged users viewed affected pages.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Bookero.pl is no longer version 2.2 or older.
- Submit harmless script-like input in staging and confirm it is rejected or escaped.
- Open affected pages and confirm no stored script executes.
- Review rendered HTML for unsafe inline script injection from user-controlled values.
- Run a Fixnx scan and verify public WordPress exposure after cleanup.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-6910?
Bookero.pl - system rezerwacji online versions listed as affected should be reviewed: Bookero.pl - system rezerwacji online up to and including 2.2.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
