CVE-2026-40791: WordPress WP Time Slots Booking Form plugin <= 1.2.46 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in WP Time Slots Booking Form <= 1.2.46 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A reflected or stored cross-site scripting (XSS) vulnerability affects the WP Time Slots Booking Form WordPress plugin at version 1.2.46 and earlier. The flaw is reachable over the network, requires no authentication, but does require a victim to interact with a malicious link or page. Successful exploitation lets an attacker inject and run arbitrary JavaScript in a victim's browser, enabling session theft, page content manipulation, or unauthorized actions on behalf of the user. No fix has been published yet; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-40791 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built WordPress images that bundle the affected plugin. Coverage extends to both registry scans and active CI/CD pipeline checks.
AvailableTriage is available with a CVSS v3.1 score of 7.1 (HIGH), weighted against each customer organization's per-environment compliance policy to prioritize routing. Findings are surfaced to the appropriate team inbox inside each customer org based on configured ownership rules.
AvailableBecause no fix version has been published for CVE-2026-40791, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, the vulnerability remains flagged as unresolved on all matched images so customers can apply compensating controls.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The affected plugin endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without needing local or adjacent access.
- AuthenticationNot required
No account or session credentials are needed; the vulnerability is reachable by any unauthenticated user.
- Victim interactionRequired
A victim must follow a crafted link or visit an attacker-controlled page that triggers the malicious script, making this a social-engineering-dependent attack.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors beyond getting the victim to interact.
Blast Radius
- Reads session cookies or authentication tokens stored in the victim's browser, enabling account takeover without credential theft.
- Modifies visible page content in the victim's browser session, allowing phishing overlays or fake login prompts to be injected.
- Performs authenticated actions (form submissions, settings changes) on the WordPress site on behalf of the victim using their active session.
How HarborGuard Handles This
Available on HarborGuard: the CVE is matched against any image that bundles WP Time Slots Booking Form at or below version 1.2.46, and the finding is surfaced with its CVSS 7.1 HIGH score for immediate review. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available to customers the moment a fix version is published. For customers with auto-remediation enabled, that rebuild triggers a regression test run and a PR opened against affected workloads without manual intervention. While no patch is available, recommended compensating controls include network-policy rules that restrict unauthenticated access to the booking form endpoint, a web application firewall rule to block script injection patterns in form inputs, and disabling the plugin if the booking feature is not actively required.
- codepeople / WP Time Slots Booking Form≤ 1.2.46
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L