CVE-2025-4667 is a stored cross-site scripting (XSS) vulnerability identified in the 'Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin' for WordPress, developed by croixhaug. The vulnerability exists in all plugin versions up to and including 1.6.8.30 and is due to improper neutralization of user-supplied input within the plugin's shortcodes: ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments (duplicated in the report), and ssa_past_appointments. These shortcodes fail to adequately sanitize and escape input attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability requires no user interaction beyond viewing the affected page and does not require higher privileges than contributor, which is a relatively low threshold in WordPress roles. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with attack vector network-based, low attack complexity, privileges required at the contributor level, no user interaction, and scope changed due to impact beyond the vulnerable component. No known public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin. The flaw impacts confidentiality and integrity but does not affect availability. The vulnerability was published on June 14, 2025, and was reserved on May 13, 2025. No official patches or updates have been linked yet, so mitigation relies on access control and input validation measures.

The primary impact of CVE-2025-4667 is on the confidentiality and integrity of affected WordPress sites using the vulnerable plugin. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts that execute in the context of other users' browsers. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential privilege escalation within the WordPress environment. Since contributor-level access is sufficient, attackers who have compromised or gained such accounts can leverage this vulnerability to expand their foothold. The vulnerability does not affect availability, so denial-of-service is not a direct concern. Organizations relying on this plugin for appointment scheduling risk data breaches, reputational damage, and compliance violations if exploited. The threat is global, affecting any WordPress site using the plugin, with increased risk in sectors relying heavily on appointment booking functionality such as healthcare, education, and professional services. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, especially as attackers may develop exploits given the medium severity and ease of exploitation.

1. Immediately restrict contributor-level user permissions to trusted individuals only, minimizing the risk of malicious input injection. 2. Monitor and audit contributor activity for suspicious behavior or unexpected shortcode usage. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious script payloads targeting the affected shortcodes. 4. Until an official patch is released, consider disabling or removing the vulnerable shortcodes (ssa_admin_upcoming_appointments and ssa_past_appointments) from all pages and posts. 5. Apply strict input validation and output encoding on any user-supplied data related to appointment booking features, possibly via custom code or security plugins. 6. Keep WordPress core, themes, and all plugins updated and subscribe to vendor advisories for timely patch releases. 7. Educate site administrators and contributors about the risks of XSS and safe content practices. 8. Conduct regular security scans and penetration tests focusing on plugin vulnerabilities. 9. Prepare incident response plans to quickly address any exploitation attempts. 10. Once a patch is available, prioritize immediate deployment to eliminate the vulnerability.