The flaw is an improper neutralization of input during web page generation that permits a reflected cross‑site scripting attack. When an attacker supplies crafted data to the Appointment Buddy Widget, the plugin fails to encode or validate the content before emitting it to the browser. An affected user who loads a page containing the bad input would receive and execute malicious JavaScript. This can compromise session cookies, steal authentication tokens, inject phishing pages, or deface the site in the context of the victim’s browser.

The vulnerability exists in accreteinfosolution’s Appointment Buddy Widget plugin for WordPress. Any installation of the plugin with a version number through 1.2, including 1.2 and earlier, is affected. Upgrading to 1.3 or later eliminates the issue.

The CVSS base score of 7.1 denotes high severity; the EPSS score of less than 1 % indicates a currently low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to embed malicious input that is reflected back to the browser, likely through a user‑visible field or URL parameter. Because the flaw does not require authentication, the attack vector is considered external and the scope is limited to the victim’s session. Nonetheless, the potential impact on confidentiality, integrity, and availability justifies prompt action.