Appointment Buddy Widget CVE-2025-25099
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in accreteinfosolution Appointment Buddy Widget allows Reflected XSS. This issue affects Appointment Buddy Widget: from n/a through 1.2.
AnalysisAI
Reflected cross-site scripting in Appointment Buddy Widget (WordPress plugin) versions up to 1.2 allows remote attackers to execute malicious scripts in victim browsers via crafted URLs. Scope change in CVSS vector indicates potential session hijacking or data exfiltration across origin boundaries. EPSS score of 0.15% (36th percentile) suggests low likelihood of mass exploitation, but XSS remains a viable social engineering attack vector. Reported by Patchstack audit team with public disclosure via vulnerability database.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the Appointment Buddy Widget WordPress plugin developed by accreteinfosolution. Reflected XSS occurs when user-supplied input is immediately returned by a web application in HTTP responses without proper sanitization or encoding. The plugin likely accepts user input via GET/POST parameters for appointment booking functionality and reflects this data in generated HTML pages without adequate output encoding. WordPress plugins commonly exhibit this flaw when directly echoing $_GET or $_REQUEST variables into HTML contexts without using WordPress escaping functions like esc_html() or esc_attr(). The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical when XSS can compromise user sessions or interact with other WordPress components.
Affected ProductsAI
WordPress plugin Appointment Buddy Widget (also known as 'Appointment Buddy Online Appointment Booking by Accrete') developed by accreteinfosolution, affecting all versions from initial release through version 1.2. The vulnerability was reported by Patchstack's audit team and documented in their WordPress plugin vulnerability database at patchstack.com/database/wordpress/plugin/appointment-buddy-online-appointment-booking-by-accrete/.
RemediationAI
Update Appointment Buddy Widget to a version newer than 1.2 if available; check the WordPress plugin repository or contact accreteinfosolution for patch status. As of this analysis, no vendor-released patched version is independently confirmed from available data - verify current version status at wordpress.org/plugins before deployment. If no patch is available, implement compensating controls: restrict plugin usage to trusted administrative users only via WordPress role management; deploy Web Application Firewall rules to filter common XSS payloads in query parameters associated with appointment booking forms (review logs to identify specific vulnerable parameters); enable Content Security Policy headers to restrict inline script execution and limit script-src directives to trusted domains, though this may break legitimate plugin functionality requiring inline scripts. Consider temporarily disabling the plugin if appointment booking can be handled through alternative mechanisms. Monitor Patchstack advisory at the provided reference URLs for vendor response and patch availability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today