Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected/stored XSS in a public WordPress plugin endpoint is network-reachable without auth (PR:N) but needs the victim to load the payload (UI:R); script executes outside the vulnerable component's scope with limited C/I/A.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.
AnalysisAI
Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The affected product is the nsquared 'Simply Schedule Appointments' WordPress plugin (CPE cpe:2.3:a:nsquared:simply_schedule_appointments:*), an appointment-booking plugin used on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected or stored into HTML responses without proper output encoding or input sanitization. As a WordPress plugin, the vulnerable code likely lives in a public-facing form handler, AJAX endpoint, or shortcode renderer that accepts attacker-controlled parameters and emits them into the DOM, enabling script injection within the WordPress site's origin.
RemediationAI
Upgrade the Simply Schedule Appointments WordPress plugin to a release later than 1.6.10.6 once the vendor publishes a fixed version; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-10-6-cross-site-scripting-xss-vulnerability for the patched build identifier, as no exact fix version was supplied in the input data. Until a patched release is available, compensating controls include deploying a WordPress-aware WAF (such as Patchstack, Wordfence, or Cloudflare managed rules) with rules targeting reflected XSS payloads against the plugin's endpoints, restricting public access to the booking form pages via IP allowlisting where business-feasible (with the trade-off of breaking legitimate self-service bookings), and setting a strict Content-Security-Policy header that disallows inline scripts (which may break other plugins or theme features that rely on inline JS). Operators should also enforce session hardening: HttpOnly and Secure cookie flags and short admin session lifetimes to limit the impact of session theft if an administrator is lured into clicking a crafted link.
More in Simply Schedule Appointments
View allThe Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu
Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic
Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm
Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2
Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows un
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36927
GHSA-hgxq-5m3h-9v37