Skip to main content

Appointment Buddy Widget CVE-2025-25099

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in accreteinfosolution Appointment Buddy Widget allows Reflected XSS. This issue affects Appointment Buddy Widget: from n/a through 1.2.

AnalysisAI

Reflected cross-site scripting in Appointment Buddy Widget (WordPress plugin) versions up to 1.2 allows remote attackers to execute malicious scripts in victim browsers via crafted URLs. Scope change in CVSS vector indicates potential session hijacking or data exfiltration across origin boundaries. EPSS score of 0.15% (36th percentile) suggests low likelihood of mass exploitation, but XSS remains a viable social engineering attack vector. Reported by Patchstack audit team with public disclosure via vulnerability database.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the Appointment Buddy Widget WordPress plugin developed by accreteinfosolution. Reflected XSS occurs when user-supplied input is immediately returned by a web application in HTTP responses without proper sanitization or encoding. The plugin likely accepts user input via GET/POST parameters for appointment booking functionality and reflects this data in generated HTML pages without adequate output encoding. WordPress plugins commonly exhibit this flaw when directly echoing $_GET or $_REQUEST variables into HTML contexts without using WordPress escaping functions like esc_html() or esc_attr(). The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical when XSS can compromise user sessions or interact with other WordPress components.

Affected ProductsAI

WordPress plugin Appointment Buddy Widget (also known as 'Appointment Buddy Online Appointment Booking by Accrete') developed by accreteinfosolution, affecting all versions from initial release through version 1.2. The vulnerability was reported by Patchstack's audit team and documented in their WordPress plugin vulnerability database at patchstack.com/database/wordpress/plugin/appointment-buddy-online-appointment-booking-by-accrete/.

RemediationAI

Update Appointment Buddy Widget to a version newer than 1.2 if available; check the WordPress plugin repository or contact accreteinfosolution for patch status. As of this analysis, no vendor-released patched version is independently confirmed from available data - verify current version status at wordpress.org/plugins before deployment. If no patch is available, implement compensating controls: restrict plugin usage to trusted administrative users only via WordPress role management; deploy Web Application Firewall rules to filter common XSS payloads in query parameters associated with appointment booking forms (review logs to identify specific vulnerable parameters); enable Content Security Policy headers to restrict inline script execution and limit script-src directives to trusted domains, though this may break legitimate plugin functionality requiring inline scripts. Consider temporarily disabling the plugin if appointment booking can be handled through alternative mechanisms. Monitor Patchstack advisory at the provided reference URLs for vendor response and patch availability.

Share

CVE-2025-25099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy