Appointment Booking Plugin
Monthly
Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.
Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.