| CVE-2024-2842 | Med | 0.42 | 6.4 | 0.00 | | Mar 29, 2024 | The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calendar' shortcode in all versions up to, and including, 3.11.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| CVE-2017-15812 | Med | 0.40 | 6.1 | 0.00 | | Oct 23, 2017 | The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings values in the admin panel. |
| CVE-2024-2844 | Med | 0.28 | 4.3 | 0.00 | | Mar 29, 2024 | The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders. |
