This vulnerability in codepeople Appointment Booking Calendar (<= 1.3.92) allows an attacker to exploit a Cross-Site Request Forgery (CSRF) flaw to perform unauthorized actions on behalf of an authenticated user. The CSRF vulnerability is linked to an SQL Injection issue, potentially enabling injection attacks through forged requests. The CVSS 3.1 score of 8.2 indicates a high-severity issue exploitable remotely without privileges but requiring user interaction. The vulnerability affects the confidentiality and availability of the system with a scope change. No official patch or mitigation details are currently available.

Successful exploitation could allow an attacker to execute unauthorized SQL Injection attacks via CSRF, potentially leading to data confidentiality loss and partial system availability degradation. The scope change indicates that the attack could affect components beyond the initially vulnerable module. However, no known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as verifying anti-CSRF tokens and restricting actions to authenticated and authorized users. Monitor vendor channels for updates and patches addressing this vulnerability.