This vulnerability resides in the WordPress appointment‑booking‑calendar plugin version 1.1.24, where unauthenticated attackers can modify calendar settings and inject persistent cross‑site scripting payloads through parameters on the admin.php page. The flaw allows malicious JavaScript to be stored in the 'ict', 'ics', and 'name' options, which is then executed whenever the calendar is displayed or accessed via the administration interface. This results in a combination of privilege escalation—by altering administrative settings—and cross‑site scripting, which can be used by attackers to execute arbitrary client‑side instructions when the calendar is displayed or accessed in the administration interface.

The affected line of business is the dwbooster Booking Calendar Contact plugin for WordPress, specifically the appointment‑booking‑calendar version 1.1.24. No other versions or vendor releases are listed in the provided data, and the vulnerability arises directly from that plugin’s configuration handling.

The CVSS score of 5.1 indicates moderate severity, while the EPSS score is not available, suggesting no current data on exploit prevalence; the vulnerability is not listed in the CISA KEV catalogue. Attackers can exploit this weakness by sending crafted GET requests to the public admin.php endpoint, allowing them to inject arbitrary scripts without authentication. Because the flaw operates via standard web parameters, it is exploitable remotely over HTTP or HTTPS, making it accessible to adversaries on the same network or the internet.