CVE-2026-0742 is a stored cross-site scripting (XSS) vulnerability identified in the Smart Appointment & Booking plugin for WordPress, developed by zealopensource. This vulnerability exists in all versions up to and including 1.0.7 due to improper neutralization of input during web page generation (CWE-79). Specifically, the issue arises from insufficient input sanitization and output escaping in the saab_save_form_data AJAX action, which processes user-supplied attributes. Authenticated attackers with at least Subscriber-level access can exploit this flaw by injecting arbitrary JavaScript code that is stored persistently and executed in the context of any user who views the affected pages. Because the vulnerability requires authentication but no user interaction beyond page viewing, it can be leveraged to perform actions such as session hijacking, defacement, or further privilege escalation within the WordPress environment. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a notable risk. The vulnerability was reserved in early January 2026 and published in February 2026, with no patches currently linked, indicating that users must apply manual mitigations or await vendor updates.

The impact of CVE-2026-0742 is significant for organizations using the Smart Appointment & Booking plugin on WordPress sites. Successful exploitation allows attackers with minimal privileges (Subscriber-level) to inject persistent malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access escalation. Attackers might also manipulate site content, redirect users to malicious sites, or conduct phishing attacks leveraging the trusted site context. While availability is not directly affected, the compromise of confidentiality and integrity can damage organizational reputation, lead to data breaches, and facilitate further attacks within the network. Given WordPress's widespread use globally, especially for small to medium business websites, the vulnerability poses a broad risk. The lack of known exploits currently reduces immediate threat but does not eliminate the risk of future exploitation, especially as automated scanning tools may soon incorporate this vulnerability. Organizations relying on this plugin for appointment booking and customer interaction could face operational disruptions and loss of customer trust if exploited.

To mitigate CVE-2026-0742, organizations should take immediate and specific actions beyond generic advice: 1) Restrict user roles and permissions strictly, ensuring only trusted users have Subscriber-level or higher access, minimizing the attack surface. 2) Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious payloads targeting the saab_save_form_data AJAX endpoint. 3) Conduct manual code review or apply temporary input validation and output escaping patches if vendor updates are unavailable, focusing on sanitizing all user-supplied input in AJAX handlers. 4) Monitor web server and application logs for unusual POST requests to the vulnerable AJAX action and anomalous script injections in stored content. 5) Educate site administrators and users about the risks of XSS and encourage use of multi-factor authentication to reduce impact of session hijacking. 6) Plan for rapid deployment of official patches once released by zealopensource and test updates in staging environments before production rollout. 7) Consider isolating or disabling the plugin temporarily if critical until a secure version is available, especially on high-value or sensitive sites.