EPSS
Percentile
36.0%
Lack of authorisation check in the cpabc_appointments_save_edition() function can lead to stored XSS via the editionarea parameter when cfwpp_edit is set to ‘js’ or ‘css’
The payload will be triggered in all pages with a booking form.
plugins.trac.wordpress.org/changeset?reponame=&new=2117259%40appointment-booking-calendar&old=2112885%40appointment-booking-calendar