Appointment Booking Calendar <= 1.3.34 is vulnerable to Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Administrator

Published
2020-03-04

Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.

CVE

https://www.cve.org/CVERecord?id=CVE-2020-9371

CVSS

Score:4.8

Severity:Medium

Version: 1.3.34

There is a patch available in v1.3.35 and we strongly recommend you update to this version as soon as possible.