Description
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Simply Schedule Appointments plugin contains a stored cross‑site scripting flaw that occurs when an authenticated user with contributor privileges or higher inserts malicious data into the shortcode attributes ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments and ssa_past_appointments. The plugin fails to properly sanitize and escape user supplied attributes, leading to arbitrary script injection. Once stored, the injected code executes whenever a page containing the shortcode is rendered for any site visitor, potentially allowing attackers to hijack sessions, deface content or redirect users to malicious sites.

Affected Systems

The vulnerability affects the croixhaug:Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress. All released versions up to and including 1.6.8.30 are impacted; later releases beyond 1.6.8.30 are presumed fixed and are not listed.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity level, while the EPSS score of less than 1 % suggests that the probability of exploitation is currently low. The flaw is not listed in the CISA KEV catalog, implying that no widespread exploits are publicly known. Attackers require authenticated access at the contributor level or higher to inject the malicious payload, meaning that anyone with such privileges to the WordPress administrative interface could perform the exploit. The impact remains confined to users who view pages containing the affected shortcodes, but the execution of arbitrary scripts can compromise session data and the integrity of the site.

Generated by OpenCVE AI on April 21, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simply Schedule Appointments plugin to a version newer than 1.6.8.30.
  • If an update is not feasible, restrict or remove the vulnerable shortcode attributes from rendering or ensure that any user‑supplied data is escaped before output.
  • Consider revoking contributor‑level access for users who do not need to edit or manage appointments, or implement stricter permission controls for the plugin.

Generated by OpenCVE AI on April 21, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18338 The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0004}

 epss

{'score': 0.00046}

Sat, 14 Jun 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Simply Schedule Appointments <= 1.6.8.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:38.088Z

Reserved: 2025-05-13T19:53:57.589Z

Link: CVE-2025-4667

cve-icon Vulnrichment

Updated: 2025-06-16T16:47:06.272Z

cve-icon NVD

Status : Deferred

Published: 2025-06-14T10:15:18.853

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses