{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39604", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:22.200Z", "dateUpdated": "2026-04-08T08:30:22.200Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mybooktable", "product": "MyBookTable Bookstore", "vendor": "zookatron", "versions": [{"lessThanOrEqual": "3.6.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:44.874Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.<p>This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:22.200Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress MyBookTable Bookstore plugin <= 3.6.0 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0."}], "id": "CVE-2026-39604", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:29.610", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MyBookTable Bookstore", "source": "cna", "vendor": "zookatron"}, "product": "mybooktable_bookstore", "vendor": "zookatron"}], "analysis": {"en": {"generated_at": "2026-04-08T09:45:01.172784+00:00", "value": {"mitigation_remediation": ["Upgrade the MyBookTable Bookstore plugin to the latest version that is newer than 3.6.0.", "Verify that the upgrade successfully removed the vulnerable code path by testing a known malicious payload in a safe environment.", "If an immediate update is not possible, temporarily disable or remove the plugin from the WordPress installation.", "Continuously monitor site logs for signs of script execution and ensure other plugins are kept current."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites using the MyBookTable Bookstore plugin from any version up to and including 3.6.0. This includes all earlier released versions, since the vulnerability exists from the plugin's introduction up to the stated limit.", "description_and_impact": "Improper neutralization of input during page generation allows an attacker to inject malicious scripts that are stored and executed in the browsers of visitors who view affected pages. This stored XSS can lead to session hijacking, credential theft, defacement, or the delivery of malware. The weakness is a classic cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score is not provided, but the vulnerability enables arbitrary script execution with user\u2011facing impact. EPSS is not available, and the issue is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. The likely attack vector involves inserting malicious content through the plugin\u2019s data entry interface; an attacker with sufficient permissions to add or edit book entries can embed JavaScript that will run for all site visitors. Therefore, sites that allow users beyond administrators to interact with this plugin remain at risk until the flaw is mitigated."}}}}, "created": "2026-04-08T19:29:56.551910+00:00", "updated": "2026-04-08T19:42:14.128863+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "zookatron", "zookatron$PRODUCT$mybooktable_bookstore"]}