Description
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting (XSS) exists in the NSquared Simply Schedule Appointments WordPress plugin for versions 1.6.12.2 and earlier. The flaw is identified as CWE‑79 and allows an attacker to inject arbitrary client‑side script through vulnerable input fields. If successfully exploited, the attacker could steal user cookies, hijack sessions, deface site content, or redirect users to malicious sites, thereby compromising data confidentiality, integrity, and potentially the availability of user‑generated content.

Affected Systems

The vulnerability affects the NSquared Simply Schedule Appointments plugin for WordPress, specifically any installation running version 1.6.12.2 or older. Upgrading to version 1.6.12.4 or newer removes the affected code paths.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact when exploitation is possible, but the EPSS score is not available, so the real-world probability of exploitation cannot be quantified from current data. The vulnerability is not listed in the CISA KEV catalog. Because the attack does not require authentication and can be triggered from the public web interface, the primary attack vector is through unauthenticated HTTP requests containing malicious payloads targeting the vulnerable fields. No additional exploitation conditions are documented.

Generated by OpenCVE AI on June 26, 2026 at 17:02 UTC.

Remediation

Vendor Solution

Update the WordPress Simply Schedule Appointments Plugin to the latest available version (at least 1.6.12.4).

OpenCVE Recommended Actions

  • Update Simply Schedule Appointments to version 1.6.12.4 or later
  • If an immediate update is not possible, completely disable or uninstall the plugin until a patch can be applied
  • Configure the WordPress installation to restrict script execution and input acceptance, or use a web application firewall rule to block suspicious script payloads

Generated by OpenCVE AI on June 26, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nsquared
Nsquared simply Schedule Appointments
Wordpress
Wordpress wordpress
Vendors & Products Nsquared
Nsquared simply Schedule Appointments
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
Title WordPress Simply Schedule Appointments plugin <= 1.6.12.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Nsquared Simply Schedule Appointments
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:42:59.223Z

Reserved: 2026-06-24T12:44:58.567Z

Link: CVE-2026-57317

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:50.928Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:15:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')