Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.
packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
wordpress.org/plugins/appointment-booking-calendar/#developers
wpvulndb.com/vulnerabilities/10110
www.hotdreamweaver.com/support/view.php?id=815925