Attack Vectors

The Tennis Court Bookings WordPress plugin (slug: tennis-court-bookings) is affected by an authenticated stored cross-site scripting (XSS) issue rated Medium severity (CVSS 4.4; CVE-2026-1044). An attacker would need administrator-level (or higher) access to inject a malicious script.

The injection can occur through Admin Settings and calendar parameters. Once placed, the script can execute whenever someone views the affected page or interface area—turning a one-time admin action into a persistent risk. Based on the published details, this issue only affects WordPress multisite installations and installations where unfiltered_html has been disabled.

Security Weakness

The root cause is described as insufficient input sanitization and output escaping in versions up to and including Tennis Court Bookings 1.2.7. In plain terms, the plugin does not consistently “clean” certain settings/inputs before saving them, or safely display them later—allowing stored script content to be saved and executed in a user’s browser.

This matters even when the attacker is “inside” the organization (or has gained admin access through credential theft), because stored XSS can be used to quietly expand impact—such as manipulating what users see, triggering unintended actions, or setting the stage for further compromise—especially in environments where multiple stakeholders access the site.

Technical or Business Impacts

Business risk: Stored XSS can undermine trust in your brand and your online booking experience by enabling unauthorized content injection, misleading messages, or user redirection. For marketing, this can translate into damaged credibility, disrupted campaigns, and reduced conversion rates if visitors encounter suspicious behavior.

Operational and compliance risk: If administrative access is abused, the impact can extend beyond a single page view—potentially affecting staff workflows, reporting integrity, and audit confidence. In regulated environments, any incident involving unauthorized script execution and potential data exposure can trigger internal reporting, compliance review, and legal/PR costs, even when the CVSS severity is listed as Medium.

Scope considerations: The published advisory states this affects multisite and cases where unfiltered_html is disabled. If your organization uses multisite to manage multiple locations/brands, that can increase the number of stakeholders and pages potentially exposed to the injected content.

Remediation status: The advisory notes no known patch is available at this time. For many organizations, the most risk-reducing option may be to uninstall the affected software and replace it, especially if the plugin is not business-critical or if compensating controls are difficult to maintain. Review the official record for details: CVE-2026-1044 and the source advisory: Wordfence vulnerability entry.

Practical mitigations (risk-based): Limit and monitor administrator access (including enforcing MFA), review recent admin activity for unexpected settings/content changes, and consider restricting who can access or modify the plugin’s settings—especially in multisite environments. If you cannot remove the plugin immediately, implement heightened monitoring for unexpected page changes and anomalous admin actions, aligned with your organization’s risk tolerance.

Similar attacks (real examples): Stored XSS has been used to spread rapidly and impact user trust at scale, such as the Samy worm on MySpace and the 2010 Twitter worm.