Description
The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).
Published: 2025-02-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting with Contributor‑level access
Action: Apply Patch
AI Analysis

Impact

The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to stored Cross‑Site Scripting because the ‘after’ parameter is not properly sanitized or escaped. An authenticated attacker with Contributor access can inject arbitrary JavaScript that will execute whenever any user views a page containing the injected content, allowing for actions such as cookie theft, session hijacking, or phishing attacks. The flaw is limited to Chromium‑based browsers such as Chrome, Edge, and Brave, but once injected it persists in the stored content and can impact every user that later views the affected page.

Affected Systems

All installations of the SuperSaaS – online appointment scheduling WordPress plugin in releases up to and including version 2.1.12 are affected. Any site running those versions and granting Contributor or higher privileges can be used to inject malicious scripts via the vulnerable parameter.

Risk and Exploitability

With a CVSS base score of 4.9 the flaw is considered moderate severity. The EPSS score of less than 1% signals a very low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog, and the required conditions of authenticated Contributor privileges and usage of a Chromium browser reduce the attack surface. Nevertheless, the persistent nature of the stored XSS means that any user who later views the content can be compromised.

Generated by OpenCVE AI on April 22, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SuperSaaS plugin to a version that sanitizes the ‘after’ parameter (2.1.13 or later).
  • Restrict or remove Contributor‑level access to the ability to edit or inject content that uses the ‘after’ parameter.
  • Deploy a web application firewall rule or a Content‑Security‑Policy header that blocks or neutralizes user‑supplied JavaScript in the plugin’s shortcodes.

Generated by OpenCVE AI on April 22, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1902 The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

 epss

{'score': 0.00032}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Feb 2025 11:15:00 +0000

Type Values Removed Values Added
Description The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).
Title SuperSaaS – online appointment scheduling <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via after Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:50.367Z

Reserved: 2025-01-29T21:23:56.432Z

Link: CVE-2025-0862

cve-icon Vulnrichment

Updated: 2025-02-12T20:46:47.731Z

cve-icon NVD

Status : Deferred

Published: 2025-02-11T11:15:16.043

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses