This vulnerability (CVE-2024-4288) involves stored cross-site scripting (CWE-79) in the Simply Schedule Appointments Booking Plugin for WordPress. It allows authenticated users with contributor or higher permissions to inject arbitrary web scripts via the 'link' parameter due to improper input neutralization during web page generation. These scripts execute in the context of users who access the injected pages, potentially leading to session hijacking or other client-side impacts. The vulnerability affects all plugin versions up to 1.6.7.14. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and partial confidentiality and integrity impact without availability impact. No patch or official vendor advisory is currently available, and no exploits are known in the wild.

An attacker with contributor-level or higher permissions can inject persistent malicious scripts into pages via the vulnerable 'link' parameter. These scripts execute in the browsers of users who view the affected pages, potentially compromising user sessions or performing unauthorized actions within the context of the affected site. The impact is limited to confidentiality and integrity with no availability impact. The vulnerability requires authenticated access, reducing the attack surface compared to unauthenticated vulnerabilities.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level permissions to trusted users only and consider disabling or limiting use of the affected plugin. Monitor for updates from the plugin vendor and apply patches promptly once available. Implementing web application firewall (WAF) rules to detect and block suspicious input in the 'link' parameter may provide temporary mitigation.