{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0742", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T17:00:00.618Z", "datePublished": "2026-02-04T08:25:32.460Z", "dateUpdated": "2026-04-08T17:19:24.185Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:24.185Z"}, "affected": [{"vendor": "zealopensource", "product": "Smart Appointment & Booking", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Smart Appointment & Booking <= 1.0.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-02-03T19:43:03.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:52:37.523269Z", "id": "CVE-2026-0742", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:52:48.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0742", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:52:37.523269Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:52:44.304Z"}}], "cna": {"title": "Smart Appointment & Booking <= 1.0.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "zealopensource", "product": "Smart Appointment & Booking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-03T19:43:03.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189"}, {"url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:24.185Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0742", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:24.185Z", "dateReserved": "2026-01-08T17:00:00.618Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-04T08:25:32.460Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Smart Appointment &amp; Booking para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la acci\u00f3n AJAX saab_save_form_data en todas las versiones hasta la 1.0.7, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-0742", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-04T09:15:52.477", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:51:17.400516+00:00", "value": {"mitigation_remediation": ["Update the Smart Appointment & Booking plugin to version 1.0.8 or later, which removes the improper sanitization and output escaping.", "If an upgrade is not immediately possible, disable the saab_save_form_data AJAX endpoint for Subscriber and lower roles until the patch is applied.", "Ensure that any data stored or displayed by the plugin is properly escaped using WordPress functions such as esc_html() or esc_js().", "Optionally deploy a web\u2011application firewall rule that blocks typical cross\u2011site scripting payloads from being submitted via AJAX."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via authenticated AJAX action"}, "threat_synthesis": {"affected_systems": "It impacts the WordPress plugin Smart Appointment & Booking from ZealOpenSource. All versions up to and including 1.0.7 are affected; versions 1.0.8 and above are not impacted.", "description_and_impact": "The Smart Appointment & Booking plugin for WordPress is vulnerable to stored cross\u2011site scripting caused by inadequate sanitization and escape of data posted through the saab_save_form_data AJAX action. Authenticated users with Subscriber\u2011level access and above can inject arbitrary JavaScript into the plugin\u2019s data store. When a page that references the stored data is subsequently viewed, the injected script executes in the victim\u2019s browser, enabling the attacker to steal session cookies, deface content, or perform other client\u2011side attacks. This weakness is identified as CWE\u201179 and affects confidentiality, integrity, and potentially availability of the site\u2019s content for all users who view the affected pages.", "risk_and_exploitability": "The bug carries a CVSS score of 6.4 (medium). The EPSS score is below 1\u2009%, indicating a very low exploitation probability at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires authentication with a role of Subscriber or higher, but once the malicious script is stored it can affect any site visitor who loads the injected content. The attack vector is the authenticated AJAX request to saab_save_form_data, and the impact is the execution of arbitrary client\u2011side code."}}}}, "created": "2026-02-04T21:18:21.505390+00:00", "updated": "2026-04-15T19:00:12.283201+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}