CVE-2026-0742 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Smart Appointment & Booking plugin for WordPress, developed by zealopensource. This vulnerability exists in all versions up to and including 1.0.7 and arises from insufficient sanitization and escaping of user-supplied input within the saab_save_form_data AJAX action. Specifically, authenticated users with Subscriber-level privileges or higher can inject arbitrary JavaScript code into the plugin's form data, which is then stored and rendered on pages accessed by other users. Because the malicious script is stored persistently, it executes in the context of any user visiting the affected page, potentially allowing attackers to hijack user sessions, steal cookies, perform actions on behalf of users, or escalate privileges within the WordPress environment. The vulnerability requires authentication but no additional user interaction to trigger the payload once the malicious input is stored. The CVSS v3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required at the low level. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component, impacting confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites relying on this plugin for appointment and booking management. The lack of a patch link suggests that a fix is either pending or not yet publicly available, emphasizing the need for immediate attention by site administrators.

For European organizations, especially small and medium enterprises (SMEs) and service providers using WordPress with the Smart Appointment & Booking plugin, this vulnerability can lead to unauthorized access to sensitive user data, session hijacking, and potential defacement or manipulation of booking information. Confidentiality is at risk as attackers can steal cookies or tokens, while integrity can be compromised through unauthorized actions performed by injected scripts. Although availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Sectors such as healthcare, legal services, and personal care businesses that rely heavily on appointment scheduling are particularly vulnerable. The requirement for authenticated access lowers the attack surface but does not eliminate risk, as subscriber-level accounts are commonly available to registered users or customers. The stored nature of the XSS increases persistence and impact, as malicious scripts remain active until removed. This can facilitate lateral movement or further exploitation within the affected WordPress environment, potentially leading to broader compromise.

European organizations should immediately audit their WordPress installations to identify the presence of the Smart Appointment & Booking plugin and verify the version in use. Until an official patch is released, administrators should restrict user roles to trusted individuals only, minimizing the number of users with Subscriber-level or higher access. Implementing Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the saab_save_form_data AJAX action can provide interim protection. Additionally, input validation and output encoding should be enforced at the application level if custom modifications are possible. Regularly monitoring logs for unusual AJAX requests or unexpected form submissions can help detect exploitation attempts. Organizations should also educate users about the risks of XSS and encourage strong authentication practices. Once a patch is available, prompt updating is critical. Backup procedures should be reviewed to ensure rapid recovery in case of compromise. Finally, consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts.