Login Sign Up

CVE-2026-0742

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

The Smart Appointment & Booking WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts into pages. These scripts execute whenever users visit the compromised pages, potentially stealing session cookies or redirecting users. All WordPress sites using this plugin up to version 1.0.7 are affected.

💻 Affected Systems

Products:
  • Smart Appointment & Booking WordPress Plugin
Versions: All versions up to and including 1.0.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled. Attackers need at least Subscriber-level authenticated access.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, deface the site, or redirect users to malicious sites.

🟠

Likely Case

Attackers steal user session cookies, perform phishing attacks, or deface appointment booking pages.

🟢

If Mitigated

With proper input validation and output escaping, no script execution occurs, limiting impact to data corruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in publicly accessible AJAX endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.8 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/smart-appointment-booking/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Smart Appointment & Booking' and click 'Update Now'. 4. Verify the plugin version is 1.0.8 or higher.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoints via .htaccess

all

Blocks access to the vulnerable saab_save_form_data AJAX action

# Add to .htaccess in WordPress root directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=saab_save_form_data
RewriteRule .* - [F,L]
</IfModule>

Remove Subscriber role creation capability

all

Prevents creation of new Subscriber accounts that could be used for exploitation

# Add to theme's functions.php or custom plugin
add_filter('user_has_cap', function($allcaps, $caps, $args) {
    if (in_array('create_users', $caps)) {
        $allcaps['create_users'] = false;
    }
    return $allcaps;
}, 10, 3);

🧯 If You Can't Patch

  • Disable the Smart Appointment & Booking plugin entirely
  • Implement a Web Application Firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Smart Appointment & Booking' version 1.0.7 or lower

Check Version:

wp plugin list --name='smart-appointment-booking' --field=version

Verify Fix Applied:

After updating, verify the plugin shows version 1.0.8 or higher in the WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /wp-admin/admin-ajax.php with action=saab_save_form_data containing script tags
  • Unusual user activity from Subscriber-level accounts

Network Indicators:

  • HTTP requests with malicious script payloads in POST parameters
  • Traffic patterns showing script injection attempts

SIEM Query:

source="wordpress.log" AND "action=saab_save_form_data" AND ("<script" OR "javascript:")

📊 Metadata

CVE ID: CVE-2026-0742
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.04% exploit probability (12.1th percentile)
Published: February 4, 2026
Last Updated: February 4, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0742, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)