CVE-2025-25099

A stored Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin Appointment Buddy Widget (appointment-buddy-online-appointment-booking-by-accrete) versions up to and including 1.2. The vulnerability is due to improper neutralization of input during web page generation, enabling the injection of arbitrary HTML and JavaScript.[1]

To exploit this vulnerability, an attacker must have a privileged role (e.g., a user with the ability to submit certain inputs) and then trick a privileged user into performing an action such as clicking a malicious link or visiting a crafted page. This interaction requirement means a single click can trigger the payload.[1]

Successful exploitation allows an attacker to inject malicious scripts — such as redirects, advertisements, or other HTML payloads — into the website. These scripts execute when other users (including guests) visit the affected page, leading to potential data theft, defacement, or further compromise.[1]

The vendor has not yet released an official patch. As immediate mitigation, users should update the plugin if an update becomes available. For those unable to update immediately, a mitigation rule is available from Patchstack to block attacks until an official fix can be applied.[1]