CVE-2026-1044 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Tennis Court Bookings plugin for WordPress developed by renoiriii. This vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the admin settings interface. It affects all plugin versions up to and including 1.2.7. The flaw allows an authenticated attacker with administrator-level permissions or higher to inject arbitrary JavaScript code into pages managed by the plugin. These scripts execute whenever a user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts the attack surface but still poses a significant risk in such environments. The CVSS 3.1 base score is 4.4, indicating medium severity, with an attack vector of network, high attack complexity, requiring privileges, no user interaction, and a scope change. No public exploits have been reported yet, but the vulnerability's presence in a widely used CMS plugin necessitates prompt attention. The lack of available patches at the time of reporting means organizations must implement interim mitigations or monitor for updates.

For European organizations, the impact of this vulnerability can be significant, especially for those operating multi-site WordPress environments using the Tennis Court Bookings plugin. Exploitation could allow attackers with admin access to inject malicious scripts, potentially compromising user sessions, stealing sensitive information, or manipulating site content. This can lead to reputational damage, data breaches, and regulatory non-compliance under GDPR due to unauthorized data access or leakage. The requirement for administrator-level privileges limits the threat to insider threats or compromised admin accounts, but the scope change in the CVSS vector indicates that the vulnerability could affect other components or users beyond the initial attacker. Organizations managing sports facilities, clubs, or community centers using this plugin are particularly at risk. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks or exploitation by advanced threat actors. The vulnerability's impact on availability is minimal, but confidentiality and integrity risks remain moderate.

European organizations should first verify if they are running multi-site WordPress installations with the Tennis Court Bookings plugin version 1.2.7 or earlier. Immediate mitigation steps include restricting administrator access to trusted personnel and enabling monitoring for unusual admin activities. Since no official patch is available yet, consider disabling the plugin temporarily or limiting its use to single-site installations where feasible. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the plugin's admin settings. Review and harden WordPress security configurations, including enabling two-factor authentication for admin accounts and regularly auditing user privileges. Educate administrators about the risks of stored XSS and encourage cautious input handling. Monitor vendor communications for patch releases and apply updates promptly once available. Additionally, consider deploying Content Security Policy (CSP) headers to mitigate the impact of injected scripts if exploitation occurs.