CVE-2026-1083 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Appointment Hour Booking – Booking Calendar plugin for WordPress. This vulnerability affects all versions up to and including 1.5.60. The root cause is insufficient sanitization and escaping of input data in the 'Min length/characters' and 'Max length/characters' fields used in form field configuration. An attacker with administrator-level access or higher can inject arbitrary JavaScript code into these fields. Because the vulnerability is stored, the malicious script persists and executes whenever a user accesses the form builder interface, potentially compromising the confidentiality and integrity of the affected system. The vulnerability only manifests in multi-site WordPress installations or those where the unfiltered_html capability is disabled, limiting its scope. The CVSS 3.1 score of 4.4 reflects that exploitation requires network access, high privileges, no user interaction, and results in limited confidentiality and integrity impacts without affecting availability. No public exploits have been reported yet, but the vulnerability poses a risk in environments where trusted administrators might be compromised or malicious. The lack of patch links indicates that a fix may not yet be available, emphasizing the need for mitigation.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can lead to the execution of arbitrary scripts in the context of the affected WordPress site. This can result in the theft of sensitive information such as authentication tokens, session cookies, or other data accessible to the browser. It may also allow attackers to perform unauthorized actions on behalf of legitimate users, potentially compromising site integrity. However, since exploitation requires administrator-level access, the risk of external attackers exploiting this flaw directly is limited. The vulnerability could be leveraged by insider threats or attackers who have already gained elevated privileges. Multi-site WordPress installations are particularly at risk, and organizations using this plugin in such configurations could face targeted attacks that undermine trust and security. While availability is not impacted, the confidentiality and integrity of site data and user interactions are at risk, which can lead to reputational damage and potential regulatory consequences.

To mitigate CVE-2026-1083, organizations should first verify if they are running the Appointment Hour Booking – Booking Calendar plugin on multi-site WordPress installations or have unfiltered_html disabled. Immediate steps include restricting administrator access to trusted personnel only and auditing existing form field configurations for suspicious input in the 'Min length/characters' and 'Max length/characters' fields. Since no official patch is currently linked, consider temporarily disabling or uninstalling the plugin in multi-site environments until a fix is available. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script payloads in form submissions can provide additional protection. Regularly monitor WordPress user activity logs for unusual behavior indicative of exploitation attempts. Educate administrators about the risks of injecting untrusted input into configuration fields. Finally, maintain up-to-date backups of WordPress sites to enable recovery if exploitation occurs.