Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tenteeglobal Instant Appointment instant-appointment allows Reflected XSS.This issue affects Instant Appointment: from n/a through <= 1.2.
Published: 2025-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits attackers to inject and run arbitrary JavaScript code in the context of a victim’s browser through the instant‑appointment plugin’s ref­lected input handling. The flaw falls under CWE‑79 and can be leveraged to hijack user sessions, steal cookies, or execute malicious scripts, thereby compromising confidentiality and availability of web application content.

Affected Systems

The problem affects the tenteeglobal Instant Appointment WordPress plugin versions up to and including 1.2. No narrower version range is provided, so any installation of the plugin at or below 1.2 is considered susceptible.

Risk and Exploitability

The CVSS base score of 7.1 categorizes the issue as high severity. The EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is a remote attacker crafting a malicious URL or form input that is reflected back in the generated page; no specific exploitation conditions beyond standard web interaction are reported.

Generated by OpenCVE AI on May 1, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the instant‑appointment plugin to the latest available version that removes the reflected XSS flaw.
  • If an immediate upgrade is not possible, restrict or sanitize the input fields that feed the plugin’s output, or temporarily disable the affected features until a patch is applied.
  • Implement monitoring for anomalous script execution or denied access patterns that may indicate exploitation attempts, and consider deploying a web application firewall rule to block common XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3331 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Instant Appointment allows Reflected XSS. This issue affects Instant Appointment: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Instant Appointment allows Reflected XSS. This issue affects Instant Appointment: from n/a through 1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tenteeglobal Instant Appointment instant-appointment allows Reflected XSS.This issue affects Instant Appointment: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Instant Appointment allows Reflected XSS. This issue affects Instant Appointment: from n/a through 1.2.
Title WordPress Instant Appointment plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:16.535Z

Reserved: 2025-01-16T11:28:07.194Z

Link: CVE-2025-23672

cve-icon Vulnrichment

Updated: 2025-01-22T16:16:21.971Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:20.287

Modified: 2026-04-23T15:24:16.110

Link: CVE-2025-23672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T19:45:24Z

Weaknesses