Description
The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-28
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via form field configuration
Action: Patch Now
AI Analysis

Impact

The Appointment Hour Booking – Booking Calendar plugin contains a stored cross‑site scripting flaw that allows authenticated administrators to inject arbitrary JavaScript by setting the 'Min length/characters' and 'Max length/characters' options. The injected script is stored and executed each time any user opens the form builder interface. No other privilege escalation is required beyond administrator access, and the vulnerability is only present when the WordPress unfiltered_html capability is disabled on a multi‑site installation.

Affected Systems

WordPress sites running Appointment Hour Booking – Booking Calendar version 1.5.60 or earlier, including installations that use an unfiltered_html setting restricted to trusted users and are configured as multi‑site networks. The plugin must be present on a network where administrators can modify form field settings.

Risk and Exploitability

The issue scores a CVSS of 4.4 and has an EPSS probability of less than 1 %. It is not cataloged in the CISA KEV list. Exploitation requires an attacker to be logged in as an administrator or higher and to modify form field settings. Once injected, the script will run on any user who accesses the form builder, affecting all users who load that interface.

Generated by OpenCVE AI on April 15, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Appointment Hour Booking – Booking Calendar plugin to version 1.5.61 or later to remove the unsanitized input handling.
  • Limit the use of the form builder to trusted administrator accounts only or implement IP‑based access restrictions to prevent broader exposure.
  • Verify that the WordPress setting 'unfiltered_html' is disabled for all user roles except the true administrators and remove any unintended elevated permissions.
  • Optionally, avoid configuring 'Min length/characters' and 'Max length/characters' with non‑numeric values; use numeric‑only configurations to reduce input fields that could carry scripts.

Generated by OpenCVE AI on April 15, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople appointment Booking Calendar
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople appointment Booking Calendar
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Appointment Hour Booking – Booking Calendar <= 1.5.60 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Codepeople Appointment Booking Calendar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:20.372Z

Reserved: 2026-01-16T20:43:09.863Z

Link: CVE-2026-1083

cve-icon Vulnrichment

Updated: 2026-01-28T20:50:58.738Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T06:15:49.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses