CVE-2026-0742
Stored XSS in Smart Appointment & Booking WordPress Plugin Allows Script Injection
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdevart | smart_appointment_and_booking | to 1.0.7 (inc) |
| wordfence | smart_appointment_and_booking | to 1.0.7 (inc) |
| wordfence | smart_appointment_and_booking | 1.0.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Smart Appointment & Booking WordPress plugin (up to version 1.0.7) is a Stored Cross-Site Scripting (XSS) issue. It occurs via the saab_save_form_data AJAX action due to insufficient input sanitization and output escaping on user-supplied attributes.
This flaw allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
This Stored Cross-Site Scripting vulnerability can lead to several impacts:
- Execution of malicious scripts in the context of users visiting the affected pages.
- Potential theft of user session cookies or credentials.
- Unauthorized actions performed on behalf of users without their consent.
- Defacement or manipulation of website content.
- Compromise of site integrity and user trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves Stored Cross-Site Scripting (XSS) via the saab_save_form_data AJAX action in the Smart Appointment & Booking WordPress plugin versions up to 1.0.7. Detection involves identifying malicious script injections in booking form data submitted by authenticated users with Subscriber-level access or higher.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of this vulnerability on your system, you can monitor HTTP requests to the AJAX endpoint handling form data submissions, specifically requests to the action 'saab_save_form_data' or 'saab_save_form_submission'. Look for suspicious payloads containing script tags or JavaScript code in POST parameters."}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using web server access logs, search for POST requests to admin-ajax.php with the relevant action parameter:'}, {'type': 'list_item', 'content': "grep 'action=saab_save_form_submission' /var/log/apache2/access.log | grep -i '<script>'"}, {'type': 'list_item', 'content': 'Or, to detect any suspicious JavaScript payloads in POST data, use a network capture tool like tcpdump or Wireshark to filter HTTP POST requests to admin-ajax.php and inspect payloads for script tags.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture HTTP POST traffic to admin-ajax.php (adjust interface and host accordingly):'}, {'type': 'list_item', 'content': "tcpdump -i eth0 -A -s 0 'tcp port 80 and (((ip dst host yourserverip) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x706f7374)))' | grep -i 'action=saab_save_form_submission'"}, {'type': 'paragraph', 'content': 'Additionally, scanning the WordPress database for stored entries in the booking forms that contain suspicious script tags or JavaScript code in user-submitted fields can help detect stored XSS payloads.'}] [1, 6]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this Stored Cross-Site Scripting vulnerability in the Smart Appointment & Booking plugin, immediate steps include:'}, {'type': 'list_item', 'content': 'Update the plugin to version 1.0.8 or later, where the vulnerability is fixed by enhanced input sanitization, nonce verification, and output escaping.'}, {'type': 'list_item', 'content': "If immediate update is not possible, restrict access to the plugin's AJAX actions by limiting authenticated user roles that can submit booking forms, especially restricting Subscriber-level users from submitting data until patched."}, {'type': 'list_item', 'content': 'Implement Web Application Firewall (WAF) rules to block requests containing suspicious script tags or JavaScript payloads targeting the AJAX endpoints.'}, {'type': 'list_item', 'content': 'Review and sanitize any stored booking form data in the database to remove malicious scripts.'}, {'type': 'list_item', 'content': 'Enable and enforce nonce verification for AJAX requests if it is disabled or commented out, as nonce checks help prevent unauthorized or forged requests.'}, {'type': 'paragraph', 'content': 'These steps align with the security improvements introduced in version 1.0.8, which include strict input sanitization, nonce verification, and output escaping to prevent injection attacks.'}] [3, 6]