wp-plugin : wp-appointments-schedules – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : wp-appointments-schedules


Effected Version : 1.5 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Anant Shrivastava



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :



Vulnerable Parameter : lang


Disclosure Timeline


Vendor Contacted : 2014-01-17

Plugin Status : Closed
Public Disclosure : June 12, 2014
CVE Number : CVE-2014-4579

Plugin Description :
This wordpress plugin will let you create and manage schedules.
You can add, delete, and manage appointments for each schedule.
Individual schedules can be displayed on the website and may be
enabled to allow online reservations by registered users.

To add a schedule to a page add "[[DISPLAYSCHEDULE_PAUL]]" to the post in the page of interest for a schedule created with the name "Paul".

Leave a Reply

Your email address will not be published. Required fields are marked *