Description
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Appointmind WordPress plugin exposes a stored cross‑site scripting flaw through its appointmind_calendar shortcode. The plugin fails to sanitize or escape user‑supplied attributes, allowing an attacker who can create or edit content with contributor or higher privileges to embed malicious JavaScript. When another user visits a page that includes the compromised shortcode, the attacker‑supplied script is executed in the victim’s browser, enabling the theft of session data or site defacement.

Affected Systems

WordPress sites that have installed Appointmind plugin version 4.1.0 or earlier. The vulnerability affects all releases up to and including 4.1.0 and impacts any site using the appointmind_calendar shortcode through any contributor‑level role.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1 % implies that exploitation is currently unlikely and the flaw is not listed in CISA’s KEV catalog. Attackers must be authenticated with at least contributor level, so the vulnerability is an authenticated stored XSS that can be triggered by injecting script into the shortcode, after which the payload runs for any user who views the affected page, threatening user confidentiality and site integrity.

Generated by OpenCVE AI on April 21, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Appointmind to the latest patched version (≥4.2.0). If a newer version is unavailable, uninstall or disable the plugin entirely.
  • Restrict the use of the appointmind_calendar shortcode to administrator accounts only, or remove all instances of the shortcode from existing content.
  • Implement a site‑wide Content Security Policy that blocks inline scripts and limits script sources.
  • Apply input sanitization and proper output escaping for the shortcode attributes as a temporary fix, ensuring that only allowed characters are accepted.

Generated by OpenCVE AI on April 21, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29675 The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 19 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Appointmind
Appointmind appointmind
Wordpress
Wordpress wordpress
Vendors & Products Appointmind
Appointmind appointmind
Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Appointmind <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Appointmind Appointmind
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:54.335Z

Reserved: 2025-09-02T15:08:00.900Z

Link: CVE-2025-9851

cve-icon Vulnrichment

Updated: 2025-09-17T13:10:49.724Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T02:15:33.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses