CVE-2025-1119

Vulnerability

Overview The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress (all versions up to and including 1.6.8.5) is vulnerable to arbitrary shortcode execution. This stems from insufficient validation of the customer_locale parameter in the booking API endpoint, allowing an attacker to inject custom shortcode payloads that are passed directly to do_shortcode() without proper sanitization [1]. The flaw has been assigned CWE-94 (Code Injection) [1].

Exploitation

Details The attack can be carried out remotely without authentication, requiring only network access to the WordPress site. By manipulating the customer_locale parameter—expected to hold locale codes like "en_US" or "pt_BR"—an attacker can inject a crafted payload that escapes the expected context [1]. When the payload reaches the do_shortcode() function, it enables the execution of arbitrary WordPress shortcodes, including those that create administrative users, inject malicious content, or perform other actions the current user context (unauthenticated) allows [1]. Additionally, the same injection vector can lead to Stored Cross-Site Scripting (XSS) because the malicious shortcode output may persist in the database and execute in the browser of anyone viewing the appointment edit page [1].

Impact

Successful exploitation grants an unauthenticated attacker the ability to execute arbitrary shortcodes on the affected WordPress site. Depending on the shortcodes available, this can result in privilege escalation, data theft, or complete site compromise. The stored XSS component can also target site administrators, potentially leading to session hijacking or further persistent attacks [1].

Mitigation

The vendor has addressed this issue in version 1.6.8.6 of the plugin [1]. Users are strongly advised to update immediately. No workaround was publicly provided aside from upgrading [1].