Security Alert Summary
The WordPress plugin appointment-booking-calendar version 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting (XSS) payloads via the administrative admin.php page parameters. Malicious JavaScript can be injected into the plugin options and will execute when the calendar is displayed or accessed in the administration interface.
CVE Details
- CVE ID: CVE-2016-20084
- Affected component: WordPress appointment-booking-calendar plugin
- Affected versions: 1.1.24
- Published: June 15, 2026 at 2:16:32 PM UTC
- Last modified: June 15, 2026 at 2:16:32 PM UTC
- CVSS v3.1: Base Score 7.2 | Severity: HIGH | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges / User interaction:
- Authentication required: None
- Privileges required: None
- User interaction: None
- Primary impact:
- Confidentiality: Low
- Integrity: Low
- Availability: None
- CWE / Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-site Scripting)
Technical Details
The plugin contains multiple privilege escalation issues that permit unauthenticated HTTP GET requests to the administrative admin.php endpoint to change calendar settings and persistently store attacker-controlled input. The vulnerability description identifies specific parameters and options used by the plugin: the ict and ics options and the calendar name parameter. These fields can be populated via GET requests and are not properly sanitized or validated before being stored.
Because stored input is later rendered in the administration interface, injected JavaScript in one of these fields will execute when the calendar is displayed or when administrators access the calendar management pages. The issue is a persistent cross-site scripting (XSS) flaw combined with insufficient access controls, allowing modifications without prior authentication.
Impact is limited to the confidentiality and integrity of data exposed or rendered in the affected admin screens (as reflected by the CVSS vector). The vulnerability does not indicate direct availability impacts or evidence of remote code execution in the provided data.
How This Could Impact Your Website
Consider a site with a site owner, internal staff who manage calendar entries, and an external contractor who helps with content. An unauthenticated attacker could inject a script into the calendar name or options. When an administrator or staff member opens the calendar management screen, the malicious script could run in the context of the administrator’s browser. Practical consequences include exposure of internal user data shown on those pages, unauthorized changes to calendar entries or settings, and increased risk of targeted phishing or social engineering against staff who have access to the admin area.
For example, an attacker could place a script that records administrator-visible email addresses or other information displayed on the calendar admin pages, and then use those details to craft targeted phishing messages against staff or contractors. If administrators use the same browser session to perform other tasks, there is also potential for session token theft depending on the admin environment and protections in place.
If you\’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level and other low-privilege accounts that can access administrative UI elements.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Sanitize and validate any inputs that render in admin pages; if you maintain custom code, ensure output encoding is applied when rendering stored values.
- Monitor site activity and admin logins for unusual behavior, and review recent changes to calendar settings or entries.
If you\’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
