Description
Unauthenticated Cross Site Scripting (XSS) in WP Time Slots Booking Form <= 1.2.46 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated cross‑site scripting is possible in the WP Time Slots Booking Form plugin versions up to 1.2.46. The flaw allows an attacker to inject malicious JavaScript into the plugin’s output, which is then executed by any visitor who views the affected page. This can lead to defacement, theft of user cookies, and the execution of further malware in the context of the site’s users, without requiring authentication.

Affected Systems

WordPress sites that have installed the WP Time Slots Booking Form plugin from codepeople at or below version 1.2.46 are affected. Updates starting with 1.2.47 contain the fix.

Risk and Exploitability

The CVSS score of 7.1 reflects a moderate to high risk. With an EPSS score of less than 1 %, exploitation likelihood is low but not zero, and the vulnerability is currently not listed in CISA’s KEV catalog. The attack vector is likely a web‑based interaction, and no user authentication is required to deliver the payload.

Generated by OpenCVE AI on June 16, 2026 at 21:07 UTC.

Remediation

Vendor Solution

Update the WordPress WP Time Slots Booking Form Plugin to the latest available version (at least 1.2.47).

OpenCVE Recommended Actions

  • Upgrade the WP Time Slots Booking Form plugin to the latest version, at least 1.2.47, which removes the injection point.
  • Disable or uninstall the plugin if it is no longer required for your site’s functionality.
  • Monitor exposed pages for unexpected script tags and validate that no malicious code is present after the update.

Generated by OpenCVE AI on June 16, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople wp Time Slots Booking Form
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople wp Time Slots Booking Form
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in WP Time Slots Booking Form <= 1.2.46 versions.
Title WordPress WP Time Slots Booking Form plugin <= 1.2.46 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Codepeople Wp Time Slots Booking Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:28:26.570Z

Reserved: 2026-04-15T09:20:46.957Z

Link: CVE-2026-40791

cve-icon Vulnrichment

Updated: 2026-06-16T01:28:21.569Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:51.417

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')