Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS

An authenticated attacker with the ability to create calendars can inject malicious JavaScript into calendar fields that are not sanitized [ref_id=1]. When other users (including administrators) view the calendar, the stored payload executes in their browser. The attack requires an authenticated WordPress user role that has calendar creation privileges, and the malicious input is stored server-side and triggered on page load.

The advisory does not specify exact file paths or function names. The vulnerability exists in the Appointment Hour Booking WordPress plugin, affecting calendar creation functionality where user-supplied values are not properly sanitized before being stored.

The advisory states the vulnerability is fixed in version 1.3.17 of the plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds proper sanitization or escaping of user-supplied values when creating new calendars, preventing malicious script content from being stored and later rendered in the browser.