Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin by Unknown

    CVE-2024-7877 (GCVE-0-2024-7877)

    Vulnerability from nvd – Published: 2024-11-05 06:00 – Updated: 2024-11-05 15:50
    VLAI
    Title
    Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
    Summary
    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fbec3738-2135-45… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected: 0 , < 1.6.7.55 (semver)
    Create a notification for this product.
    nsquared appointment_booking_calendar Affected: 0 , < 1.6.7.55 (semver)
        cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jeewan Kumar Bhatta WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "appointment_booking_calendar",
                "vendor": "nsquared",
                "versions": [
                  {
                    "lessThan": "1.6.7.55",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7877",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T15:41:25.929217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T15:50:50.548Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.7.55",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeewan Kumar Bhatta"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-05T06:00:07.856Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fbec3738-2135-458d-be25-1ffb00e6deb6/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Appointment Booking Calendar \u003c 1.6.7.55 - Admin+ Stored XSS",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7877",
        "datePublished": "2024-11-05T06:00:07.856Z",
        "dateReserved": "2024-08-16T12:25:01.921Z",
        "dateUpdated": "2024-11-05T15:50:50.548Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7876 (GCVE-0-2024-7876)

    Vulnerability from nvd – Published: 2024-11-05 06:00 – Updated: 2024-11-05 15:52
    VLAI
    Title
    Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
    Summary
    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fffe862f-5bf0-4a… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected: 0 , < 1.6.7.55 (semver)
    Create a notification for this product.
    nsquared appointment_booking_calendar Affected: 0 , < 1.6.7.55 (semver)
        cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jeewan Kumar Bhatta WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "appointment_booking_calendar",
                "vendor": "nsquared",
                "versions": [
                  {
                    "lessThan": "1.6.7.55",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7876",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T15:51:25.557309Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T15:52:12.176Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.7.55",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeewan Kumar Bhatta"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-05T06:00:07.461Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fffe862f-5bf0-4a05-9d32-caff0bfdb860/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Appointment Booking Calendar \u003c 1.6.7.55 - Admin+ Stored XSS",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7876",
        "datePublished": "2024-11-05T06:00:07.461Z",
        "dateReserved": "2024-08-16T12:20:01.517Z",
        "dateUpdated": "2024-11-05T15:52:12.176Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7129 (GCVE-0-2024-7129)

    Vulnerability from nvd – Published: 2024-09-13 06:00 – Updated: 2025-09-15 19:26
    VLAI
    Title
    Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
    Summary
    The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/00ad9b1a-97a5-42… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected: 0 , < 1.6.7.43 (semver)
    Create a notification for this product.
    nsquared appointment_booking_calendar Affected: 0 , < 1.6.7.43 (semver)
        cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jeewan Kumar Bhatta WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "appointment_booking_calendar",
                "vendor": "nsquared",
                "versions": [
                  {
                    "lessThan": "1.6.7.43",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7129",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-13T13:46:10.172882Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-15T19:26:20.635Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.7.43",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeewan Kumar Bhatta"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:40.205Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Appointment Booking Calendar \u003c 1.6.7.43 - Admin+ Template Injection to RCE",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7129",
        "datePublished": "2024-09-13T06:00:03.731Z",
        "dateReserved": "2024-07-26T11:56:34.810Z",
        "dateUpdated": "2025-09-15T19:26:20.635Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7877 (GCVE-0-2024-7877)

    Vulnerability from cvelistv5 – Published: 2024-11-05 06:00 – Updated: 2024-11-05 15:50
    VLAI
    Title
    Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
    Summary
    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fbec3738-2135-45… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected: 0 , < 1.6.7.55 (semver)
    Create a notification for this product.
    nsquared appointment_booking_calendar Affected: 0 , < 1.6.7.55 (semver)
        cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jeewan Kumar Bhatta WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "appointment_booking_calendar",
                "vendor": "nsquared",
                "versions": [
                  {
                    "lessThan": "1.6.7.55",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7877",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T15:41:25.929217Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T15:50:50.548Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.7.55",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeewan Kumar Bhatta"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-05T06:00:07.856Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fbec3738-2135-458d-be25-1ffb00e6deb6/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Appointment Booking Calendar \u003c 1.6.7.55 - Admin+ Stored XSS",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7877",
        "datePublished": "2024-11-05T06:00:07.856Z",
        "dateReserved": "2024-08-16T12:25:01.921Z",
        "dateUpdated": "2024-11-05T15:50:50.548Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7876 (GCVE-0-2024-7876)

    Vulnerability from cvelistv5 – Published: 2024-11-05 06:00 – Updated: 2024-11-05 15:52
    VLAI
    Title
    Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
    Summary
    The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fffe862f-5bf0-4a… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected: 0 , < 1.6.7.55 (semver)
    Create a notification for this product.
    nsquared appointment_booking_calendar Affected: 0 , < 1.6.7.55 (semver)
        cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jeewan Kumar Bhatta WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "appointment_booking_calendar",
                "vendor": "nsquared",
                "versions": [
                  {
                    "lessThan": "1.6.7.55",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.8,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7876",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T15:51:25.557309Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T15:52:12.176Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.7.55",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeewan Kumar Bhatta"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-05T06:00:07.461Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fffe862f-5bf0-4a05-9d32-caff0bfdb860/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Appointment Booking Calendar \u003c 1.6.7.55 - Admin+ Stored XSS",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7876",
        "datePublished": "2024-11-05T06:00:07.461Z",
        "dateReserved": "2024-08-16T12:20:01.517Z",
        "dateUpdated": "2024-11-05T15:52:12.176Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7129 (GCVE-0-2024-7129)

    Vulnerability from cvelistv5 – Published: 2024-09-13 06:00 – Updated: 2025-09-15 19:26
    VLAI
    Title
    Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
    Summary
    The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/00ad9b1a-97a5-42… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected: 0 , < 1.6.7.43 (semver)
    Create a notification for this product.
    nsquared appointment_booking_calendar Affected: 0 , < 1.6.7.43 (semver)
        cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Jeewan Kumar Bhatta WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "appointment_booking_calendar",
                "vendor": "nsquared",
                "versions": [
                  {
                    "lessThan": "1.6.7.43",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7129",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-13T13:46:10.172882Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-15T19:26:20.635Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.6.7.43",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jeewan Kumar Bhatta"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:40.205Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Appointment Booking Calendar \u003c 1.6.7.43 - Admin+ Template Injection to RCE",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7129",
        "datePublished": "2024-09-13T06:00:03.731Z",
        "dateReserved": "2024-07-26T11:56:34.810Z",
        "dateUpdated": "2025-09-15T19:26:20.635Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }