Appointment Hour Booking WordPress Plugin Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in the Appointment Hour Booking – Booking Calendar plugin for WordPress, affecting all versions through 1.5.60. The issue arises from inadequate input sanitization and output escaping in the 'Min length/characters' and 'Max length/characters' field configuration values. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts that execute when a user accesses the form builder interface. The vulnerability is present in multi-site installations where unfiltered_html has been disabled.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the form builder interface.
Remediation
Users are advised to update the Appointment Hour Booking – Booking Calendar plugin to version 1.5.61 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.