CVE-2026-1945 – The WPBookit WordPress plugin has a stored cros... (How to Fix)

Q: What is the severity of CVE-2026-1945?

CVE-2026-1945 has a CVSS score of 7.2 (HIGH). The WPBookit WordPress plugin has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using WPBookit version 1.0.8 or earlier are affected.

📋 TL;DR

The WPBookit WordPress plugin has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using WPBookit version 1.0.8 or earlier are affected.

💻 Affected Systems

Products:

WPBookit WordPress Plugin

Versions: All versions up to and including 1.0.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the booking shortcode controller where user input is not properly sanitized before being stored and displayed.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the site, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability would be prevented, and only sanitized data would be displayed to users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit by submitting malicious scripts through the vulnerable parameters, and proof-of-concept details are publicly available in the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.0.8

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3467556%40wpbookit&new=3467556%40wpbookit&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBookit plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download latest version from WordPress plugin repository and replace existing files.

🔧 Temporary Workarounds

Disable WPBookit Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wpbookit

Apply Input Sanitization Filter

all

Add custom WordPress filter to sanitize wpb_user_name and wpb_user_email parameters.

Add to theme's functions.php: add_filter('preprocess_wpb_user_name', 'esc_html'); add_filter('preprocess_wpb_user_email', 'sanitize_email');

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
Restrict access to the WordPress admin panel and implement strong authentication controls.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WPBookit version 1.0.8 or earlier.

Check Version:

wp plugin get wpbookit --field=version

Verify Fix Applied:

Verify WPBookit plugin version is higher than 1.0.8 in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to booking endpoints with script tags in parameters
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing <script> tags in wpb_user_name or wpb_user_email parameters

SIEM Query:

source="web_logs" AND (wpb_user_name CONTAINS "<script>" OR wpb_user_email CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2026-1945

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 4, 2026

Last Updated: March 4, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1945, you might also want to check these: