Description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-19
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross‑Site Scripting through custom booking field labels. The flaw arises from insufficient input sanitization and output escaping, allowing an authenticated attacker with Author-level access or higher to inject arbitrary JavaScript into the booking pages. When other users view the injected page, the malicious code executes in their browser, potentially compromising session data, defacing content, or performing other client‑side attacks.

Affected Systems

All releases of Creavi Appointment Booking Calendar up to version 1.4.4 installed on WordPress sites are affected. The plugin can be found under the Creavi vendor product name.

Risk and Exploitability

The CVSS base score of 6.4 indicates medium severity. The exploit requires the attacker to have Author or higher permissions to edit booking field labels, which is not normally available to anonymous users. EPSS is not reported, and the vulnerability is not listed in KEV at this time. The attack vector is authenticated, and the stored nature of the flaw means that once injected, the malicious script will affect every subsequent visitor to the page until remedied.

Generated by OpenCVE AI on June 19, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for an available update of the Creavi Appointment Booking Calendar plugin and upgrade if a patched version is released.
  • If an upgrade is not immediately possible, restrict Author‑level permissions to trusted users and disable or remove custom booking field labels to prevent injection.
  • As a temporary measure, configure a web application firewall or a security plugin to block scripts injected through the custom booking field label field, ensuring input sanitization.

Generated by OpenCVE AI on June 19, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-19T04:31:31.814Z

Reserved: 2026-02-03T18:42:25.326Z

Link: CVE-2026-1856

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T08:00:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')