CVE-2026-40791

Vulnerability

The WP Time Slots Booking Form plugin for WordPress versions up to and including 1.2.46 contains an unauthenticated Cross-Site Scripting (XSS) vulnerability [1]. The flaw exists in input handling that does not properly sanitize user-supplied data, allowing injection of arbitrary HTML and JavaScript. No authentication is required to trigger the vulnerable code path, but successful exploitation requires a privileged user to perform an action such as clicking a malicious link or visiting a crafted page [1].

Exploitation

An attacker can craft a malicious link or form submission containing the XSS payload. Since the vulnerability is unauthenticated, the attacker does not need any prior access to the site. However, exploitation requires user interaction: a privileged user (e.g., administrator) must click the link or submit the form [1]. The injected script then executes in the context of the victim's browser session.

Impact

Successful exploitation allows the attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when visitors access the affected site [1]. This can lead to information disclosure, session hijacking, or defacement. The impact is limited by the need for user interaction, but the attacker can target any site running the vulnerable plugin.

Mitigation

The vulnerability is fixed in version 1.2.47 of the WP Time Slots Booking Form plugin [1]. Users should update to this version or later immediately. If unable to update, Patchstack offers a mitigation rule to block attacks until the patch is applied [1]. No other workarounds are mentioned in the available reference.