Lack of authorisation check in the cpabc_appointments_save_edition() function can lead to stored XSS via the editionarea parameter when cfwpp_edit is set to ‘js’ or ‘css’
The payload will be triggered in all pages with a booking form.
CPE | Name | Operator | Version |
---|---|---|---|
appointment-booking-calendar | lt | 1.3.19 |