CVE-2026-1607

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

Booking.com breach gives scammers what they need to target guests

Travel companies love telling you your data is safe. Booking.com just reminded everyone why that's a hard promise to keep. The Amsterdam-based booking giant began notifying customers on April 13 that "unauthorized third parties" had accessed guest reservation data. The compromised information...

EUVD-2026-22205

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

CVE-2026-1607 Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

WordPress Surbma | Booking.com plugin <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode vulnerability discovered by zakaria in WordPress Plugin Surbma | Booking.com Shortcode versions = 2.1...

“I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix

Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems Booking.com, Expedia and others with PureRAT malware, then use stolen reservation data to phish and defraud guests...

EUVD-2024-43332

Malicious code in bioql PyPI...

Booking.com reservation abused as cybercriminals steal from travelers

Robert Woodford, a recruitment marketing specialist, recently shared on LinkedIn how he fell victim to a highly sophisticated scam while booking a hotel in Verona through Booking.com, providing a striking example of how attacks on the hospitality industry affect travelers. After completing a...

ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these…...

CVE-2024-49265

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in SPBooking.com Booking.com Banner Creator bookingcom-banner-creator.This issue affects Booking.com Banner Creator: from n/a through = 1.4.6...

CVE-2021-24646

The Booking.com Banner Creator WordPress plugin before 1.4.3 does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2021-24645

The Booking.com Product Helper WordPress plugin before 1.0.2 does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

Booking.com Phishing Scam Uses Fake CAPTCHA to Install AsyncRAT

Fake Booking.com emails trick hotel staff into running AsyncRAT malware via fake CAPTCHA, targeting systems with remote access…...

Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware

A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown. Here's how it works: Cybercriminals send a fake Booking.com email to a hotel’s email address, asking...

CVE-2024-49265

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Partnerships at Booking.Com Booking.Com Banner Creator allows Stored XSS.This issue affects Booking.Com Banner Creator: from n/a through 1.4.6...

CVE-2024-49265 WordPress Booking.com Banner Creator plugin <= 1.4.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Partnerships at Booking.Com Booking.Com Banner Creator allows Stored XSS.This issue affects Booking.Com Banner Creator: from n/a through 1.4.6...

CVE-2024-49265 WordPress Booking.com Banner Creator plugin <= 1.4.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in SPBooking.com Booking.com Banner Creator bookingcom-banner-creator.This issue affects Booking.com Banner Creator: from n/a through = 1.4.6...

CVE-2024-49265

CVE-2024-49265 is a stored XSS in the Booking.com Banner Creator WordPress plugin (versions up to 1.4.6). The vulnerability arises from improper input neutralization during web page generation, enabling stored cross-site scripting where attacker-supplied input can persist and execute in other use...

PT-2024-33404 · Booking.Com · Booking.Com Banner Creator

Name of the Vulnerable Software and Affected Versions: Booking.Com Banner Creator versions 1.4.6 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting XSS. This allows for Stored XSS in the Booking.Com Bann...

WordPress plugin Booking.Com Banner Creator 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...