Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SwiftCloud Swift Calendar Online Appointment Scheduling online-appointment-scheduling-software allows Reflected XSS.This issue affects Swift Calendar Online Appointment Scheduling: from n/a through <= 1.3.3.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting (XSS) flaw that occurs when the plugin fails to neutralize user‑supplied input before including it in the rendered web page. An attacker can deliver malicious JavaScript through crafted query parameters or form inputs, which is then executed in the victim’s browser. This can lead to client‑side defacement, theft of session cookies, or the execution of further attacks against that user, potentially compromising confidentiality and integrity of user accounts within the WordPress site.

Affected Systems

SwiftCloud Swift Calendar Online Appointment Scheduling, a WordPress plugin, is the affected product. Versions up to and including 1.3.3 are vulnerable. No other affected versions were disclosed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity issue. The EPSS score of less than 1% suggests exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be through the web interface; an attacker can craft a malicious URL or input that is reflected back to the victim. Because it is a reflected XSS, exploitation requires victim interaction, such as clicking a compromised link, but the vulnerability can still be leveraged in social‑engineering or phishing campaigns.

Generated by OpenCVE AI on May 1, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SwiftCalendar Online Appointment Scheduling to a version newer than 1.3.3, preferably the latest release.
  • If an update is not available, consider deactivating or removing the plugin to eliminate the attack surface.
  • Configure the site’s web application firewall (WAF) or use input sanitization mechanisms to reject or escape potentially malicious payloads before they reach the browser.

Generated by OpenCVE AI on May 1, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5715 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Swift Calendar Online Appointment Scheduling allows Reflected XSS. This issue affects Swift Calendar Online Appointment Scheduling: from n/a through 1.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Swift Calendar Online Appointment Scheduling allows Reflected XSS. This issue affects Swift Calendar Online Appointment Scheduling: from n/a through 1.3.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SwiftCloud Swift Calendar Online Appointment Scheduling online-appointment-scheduling-software allows Reflected XSS.This issue affects Swift Calendar Online Appointment Scheduling: from n/a through <= 1.3.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 17 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Swiftcloud
Swiftcloud swift Calendar Online Appointment Scheduling
CPEs cpe:2.3:a:swiftcloud:swift_calendar_online_appointment_scheduling:*:*:*:*:*:wordpress:*:*
Vendors & Products Swiftcloud
Swiftcloud swift Calendar Online Appointment Scheduling

Wed, 05 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Swift Calendar Online Appointment Scheduling allows Reflected XSS. This issue affects Swift Calendar Online Appointment Scheduling: from n/a through 1.3.3.
Title WordPress Swift Calendar Online Appointment Scheduling plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Swiftcloud Swift Calendar Online Appointment Scheduling
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:12.450Z

Reserved: 2025-01-16T11:25:49.095Z

Link: CVE-2025-23526

cve-icon Vulnrichment

Updated: 2025-03-05T16:44:00.784Z

cve-icon NVD

Status : Modified

Published: 2025-03-03T14:15:40.043

Modified: 2026-06-17T08:55:05.600

Link: CVE-2025-23526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')