CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13891 – Schedule <= 1.0.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13891
20 Feb 2025 — The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Schedule plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages t... • https://wpscan.com/vulnerability/58c8b73c-3a29-4a66-9b2e-f24b5c2769ac • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7876 – Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-7876
15 Oct 2024 — The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin appointment settings in all versions up to, ... • https://wpscan.com/vulnerability/fffe862f-5bf0-4a05-9d32-caff0bfdb860 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7877 – Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-7877
15 Oct 2024 — The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via notification settings in all versions up to, and inclu... • https://wpscan.com/vulnerability/fbec3738-2135-458d-be25-1ffb00e6deb6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2024-7129 – Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
https://notcve.org/view.php?id=CVE-2024-7129
23 Aug 2024 — The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.6.7.42 via Twig Template Injection. ... • https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •