Stored Cross-Site Scripting Vulnerability in Appointment Booking Calendar Plugin for WordPress
CVE-2026-1856

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Creavi Appointment Booking Calendar
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-1856?

The Appointment Booking Calendar plugin for WordPress has a vulnerability that allows authenticated attackers with Author-level access and above to inject malicious scripts through custom booking field labels. This occurs due to inadequate sanitization of user inputs, allowing harmful code to be executed in browsers when users visit compromised pages. All versions up to and including 1.4.4 are affected, making it crucial for users to update to more secure versions or implement necessary patches.

Affected Version(s)

Creavi Appointment Booking Calendar 0 <= 1.4.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/creavi-booking...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Feb 3, 2026

Credit

Athiwat Tiprasaharn

Powpy

CVE-2026-1856 Data

JSON