Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabeel Tahir Form To Online Booking cf7-calendly-integration allows Reflected XSS.This issue affects Form To Online Booking: from n/a through <= 1.0.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that permits reflected cross‑site scripting attacks defined by CWE‑79. An attacker can inject malicious scripts when a crafted request is processed by the Form To Online Booking plugin, potentially compromising the browser session of any user who views the affected page.

Affected Systems

The flaw affects the WordPress plugin Form To Online Booking, version 1.0 and earlier, released by Nabeel Tahir under the cf7‑calendly‑integration package. No other vendor or product versions were identified in the CNA data.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability is considered moderate to high severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is reflected XSS via crafted URLs or form submissions that include malicious script payloads; a successful exploit would lead to client‑side compromise, allowing data theft, session hijacking, or defacement without requiring authentication.

Generated by OpenCVE AI on May 2, 2026 at 04:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Form To Online Booking (cf7‑calendly‑integration) to a version newer than 1.0.
  • If an upgrade is not immediately possible, temporarily disable the plugin until a patched version becomes available.
  • Implement a strict Content Security Policy that disallows execution of inline scripts.
  • Ensure all form data is sanitized using WordPress sanitization functions such as sanitize_text_field before rendering.

Generated by OpenCVE AI on May 2, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3317 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To Online Booking allows Reflected XSS. This issue affects Form To Online Booking: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To Online Booking allows Reflected XSS. This issue affects Form To Online Booking: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabeel Tahir Form To Online Booking cf7-calendly-integration allows Reflected XSS.This issue affects Form To Online Booking: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To Online Booking allows Reflected XSS. This issue affects Form To Online Booking: from n/a through 1.0.
Title WordPress Form To Online Booking plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:16.141Z

Reserved: 2025-01-16T11:27:51.184Z

Link: CVE-2025-23653

cve-icon Vulnrichment

Updated: 2025-02-14T15:35:44.201Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:45.467

Modified: 2026-06-17T08:56:07.293

Link: CVE-2025-23653

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')