Skip to main content

Creavi Appointment Booking Calendar

1 CVEs product

Monthly

CVE-2026-1856 MEDIUM This Month

Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.

WordPress XSS Creavi Appointment Booking Calendar
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.

WordPress XSS Creavi Appointment Booking Calendar
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy