WordPress Easy Appointments plugin <= 3.10.7 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
CVE-2023-30748

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Easy Appointments
Vendor: CVE Published:; 9 December 2024

Summary

The Easy Appointments plugin by Nikola Loncar is susceptible to a Cross-site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw allows attackers to exploit the application by injecting malicious scripts that can be stored and later executed in the browsers of unsuspecting users. Users of affected versions should be vigilant, as the consequences of this vulnerability can lead to unauthorized access to sensitive user information, session hijacking, and various other malicious activities. Ensuring that the plugin is updated to mitigate this issue is essential for maintaining application security.

Affected Version(s)

Easy Appointments <= 3.10.7

References

https://patchstack.com/database/wordpress/plugin/easy-app...

vdb-entry

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 9, 2024
Vulnerability Reserved
Apr 14, 2023

Credit

István Márton (Patchstack Alliance)