Skip to main content

Simply Schedule Appointments EUVDEUVD-2026-36927

| CVE-2026-39447 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-hgxq-5m3h-9v37
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected/stored XSS in a public WordPress plugin endpoint is network-reachable without auth (PR:N) but needs the victim to load the payload (UI:R); script executes outside the vulnerable component's scope with limited C/I/A.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:33 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected product is the nsquared 'Simply Schedule Appointments' WordPress plugin (CPE cpe:2.3:a:nsquared:simply_schedule_appointments:*), an appointment-booking plugin used on WordPress sites. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected or stored into HTML responses without proper output encoding or input sanitization. As a WordPress plugin, the vulnerable code likely lives in a public-facing form handler, AJAX endpoint, or shortcode renderer that accepts attacker-controlled parameters and emits them into the DOM, enabling script injection within the WordPress site's origin.

RemediationAI

Upgrade the Simply Schedule Appointments WordPress plugin to a release later than 1.6.10.6 once the vendor publishes a fixed version; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-10-6-cross-site-scripting-xss-vulnerability for the patched build identifier, as no exact fix version was supplied in the input data. Until a patched release is available, compensating controls include deploying a WordPress-aware WAF (such as Patchstack, Wordfence, or Cloudflare managed rules) with rules targeting reflected XSS payloads against the plugin's endpoints, restricting public access to the booking form pages via IP allowlisting where business-feasible (with the trade-off of breaking legitimate self-service bookings), and setting a strict Content-Security-Policy header that disallows inline scripts (which may break other plugins or theme features that rely on inline JS). Operators should also enforce session hardening: HttpOnly and Secure cookie flags and short admin session lifetimes to limit the impact of session theft if an administrator is lured into clicking a crafted link.

CVE-2024-7129 HIGH POC
7.2 Sep 13

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user inpu

CVE-2026-39493 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote a

CVE-2022-2373 MEDIUM POC
5.3 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing u

CVE-2024-2341 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-2342 HIGH
8.8 Apr 09

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL

CVE-2024-7877 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2024-7876 MEDIUM POC
4.8 Nov 05

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not

CVE-2022-2374 MEDIUM POC
4.8 Aug 29

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, whic

CVE-2026-39495 HIGH
8.5 Apr 08

Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated at

CVE-2023-50851 HIGH
7.6 Dec 28

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointm

CVE-2026-42384 HIGH
7.5 Jun 15

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2

CVE-2026-59523 MEDIUM
6.5 Jul 13

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows un

Share

EUVD-2026-36927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy