CVE-2026-39447

Vulnerability

The Simply Schedule Appointments plugin for WordPress versions up to and including 1.6.10.6 is vulnerable to Cross-Site Scripting (XSS) that can be triggered without authentication. However, successful exploitation requires a privileged user—such as an administrator or editor—to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form. The vulnerability resides in insufficient sanitization of user-supplied input [1].

Exploitation

An unauthenticated attacker crafts a URL or page containing an XSS payload and induces a privileged user to interact with it (e.g., by sending a phishing link). Upon the victim clicking the link or submitting the form, the malicious script executes in the context of the admin's session, bypassing standard access controls [1].

Impact

A successful exploit allows the attacker to inject arbitrary HTML and JavaScript into the WordPress admin interface. This can lead to redirects to malicious sites, injection of advertisements, theft of session cookies, or further compromise of the website, affecting visitors and potentially enabling mass-exploit campaigns [1].

Mitigation

Versions 1.6.11.0 or later resolve the vulnerability. Users should update immediately. If unable to update, a mitigation rule is available from Patchstack to block attacks until patching occurs. Auto-updates can be enabled for vulnerable plugins [1].