NSquared Simply Schedule Appointments
Moderate fix1 remedy
cpe:2.3:a:nsqua:simply_schedule_appointments:*:*:*:*:wordpress:*:*, +1 more
Moderate fix1 remedy
- <= 1.6.8.30
Simply Schedule Appointments WordPress Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin for WordPress. This issue affects all versions through 1.6.8.30. The vulnerability arises from inadequate input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access or higher to inject arbitrary web scripts. These scripts are executed when a user accesses the affected page. The vulnerability is present in the plugin's 'ssa_admin_upcoming_appointments', 'ssa_upcoming_appointments', and 'ssa_past_appointments' shortcodes.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.
Reproduction
To reproduce this vulnerability, an authenticated user with contributor-level access or higher can use the affected shortcodes without proper sanitization. This can be done by injecting a script into a shortcode attribute, which will then be executed when the page is viewed.
Remediation
Users are advised to update the Simply Schedule Appointments WordPress plugin to version 1.6.8.32 or later.
Added: Jun 14, 2025, 10:37 AM
Updated: Jun 14, 2025, 10:37 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
1.7exploitability
6.4remediation
7.7relevance
0.2threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.