CVE-2025-0862

Vulnerability

The SuperSaaS – online appointment scheduling plugin for WordPress versions up to and including 2.1.12 contains a stored cross-site scripting vulnerability in the supersaas_button_hook function of the shortcode.php file [1][2]. The after parameter, which is used to determine the schedule name, is not properly sanitized before being output, allowing injection of arbitrary HTML and JavaScript. This affects all versions up to 2.1.12.

Exploitation

An authenticated attacker with at least Contributor-level access can inject malicious scripts through the after parameter of the [supersaas] shortcode. The injected payload is stored and executed when a user views the page containing the shortcode. However, exploitation is limited to Chromium-based browsers (e.g., Chrome, Edge, Brave) due to the browser-specific nature of the XSS vector.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information, compromising the confidentiality and integrity of the affected WordPress site. The attacker does not gain direct server-side control but can perform actions on behalf of the victim.

Mitigation

The vulnerability exists in plugin versions up to and including 2.1.12. As of the publication date (2025-02-11), no patched version has been released. Users are advised to discontinue use of the plugin until a fix is provided. Workarounds include restricting access to the plugin shortcode for non-administrative users or disabling the plugin entirely. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.