CVE-2026-1945 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WPBookit plugin for WordPress, developed by iqonicdesign. The flaw exists in all versions up to and including 1.0.8 and is due to improper neutralization of input during web page generation, specifically in the handling of the 'wpb_user_name' and 'wpb_user_email' parameters. These parameters are not adequately sanitized or escaped before being rendered in web pages, allowing attackers to inject arbitrary JavaScript code that is stored persistently on the server. When any user visits a page containing the injected script, it executes in their browser context. This vulnerability is exploitable remotely by unauthenticated attackers without requiring user interaction, increasing its severity and ease of exploitation. The CVSS v3.1 base score is 7.2, reflecting high impact on confidentiality and integrity, with no impact on availability. The vulnerability can lead to theft of session cookies, user impersonation, defacement, or redirection to malicious sites. Although no public exploits have been reported yet, the vulnerability's presence in a popular WordPress plugin makes it a critical concern for website administrators. The vulnerability was reserved on 2026-02-04 and published on 2026-03-04, with no official patches available at the time of reporting, necessitating immediate mitigation efforts.

The impact of CVE-2026-1945 is significant for organizations using the WPBookit plugin on WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of users visiting the affected pages, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of users, website defacement, or distribution of malware. This can erode user trust, damage brand reputation, and lead to regulatory or compliance issues if sensitive user data is compromised. Since the vulnerability requires no authentication and no user interaction, it can be exploited at scale by automated attacks, increasing the risk of widespread compromise. Organizations with customer-facing websites or portals using WPBookit are particularly vulnerable, as attackers can target both administrators and end-users. The scope of affected systems is broad due to WordPress's global popularity and the plugin's usage in booking and scheduling contexts, which often handle personal user information. The vulnerability does not impact system availability directly but can indirectly cause service disruptions through reputational damage or remediation efforts.

To mitigate CVE-2026-1945, organizations should take immediate action even if an official patch is not yet available. First, monitor the vendor's channels for updates or patches and apply them promptly once released. In the interim, restrict or disable the WPBookit plugin if feasible to eliminate the attack surface. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'wpb_user_name' and 'wpb_user_email' parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Conduct thorough input validation and output encoding on all user-supplied data within custom code or additional plugins to prevent similar issues. Regularly audit and sanitize stored data in the plugin's database fields to remove any injected scripts. Educate site administrators on recognizing signs of XSS exploitation and encourage the use of multi-factor authentication to reduce the impact of credential theft. Finally, maintain regular backups and incident response plans to quickly recover from any compromise.