Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-03-13
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via unwarranted shortcode processing
Action: Patch immediately
AI Analysis

Impact

The vulnerable WordPress plugin allows unfiltered input to be passed to the do_shortcode function, enabling an attacker to include any shortcode string that WordPress will then execute. This code injection flaw (CWE‑94) permits the injection of malicious code or content, potentially leading to cross‑site scripting or other site compromises. Because the plugin does not validate or restrict the shortcode parameters, the flaw can be exploited by any user with network access.

Affected Systems

The issue affects the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress versions 1.6.8.5 and earlier. No other products are listed, so only installations of this plugin within those version ranges are vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, and although the EPSS score is less than 1%, it is still nonzero, showing that an attacker could craft an exploit. The vulnerability is not in CISA’s KEV catalog. Attackers would need to send a crafted HTTP request to the plugin endpoint that processes shortcodes. Because the attack requires no authentication, it can be performed by any internet‑connected user who can reach the site, enabling arbitrary shortcode execution that may lead to site compromise or malicious payload execution.

Generated by OpenCVE AI on April 22, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simply Schedule Appointments Booking Plugin to a version newer than 1.6.8.5.
  • If an update is not immediately available, disable or uninstall the plugin to eliminate the attack surface.
  • Implement web‑application‑firewall rules or access‑control restrictions that block requests containing arbitrary shortcode parameters to mitigate exploitation while a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6257 The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00163}

 epss

{'score': 0.00241}

Thu, 13 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 07:15:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.5 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:22.055Z

Reserved: 2025-02-07T17:04:57.660Z

Link: CVE-2025-1119

cve-icon Vulnrichment

Updated: 2025-03-13T20:40:42.241Z

cve-icon NVD

Status : Deferred

Published: 2025-03-13T07:15:36.517

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses