Reflected XSS in Simply Schedule Appointments WordPress Plugin (CVE-2024-13431)

Vulnerability Key Information Summary 1. Vulnerability Overview CVE ID: CVE-2024-13431 Vulnerability Type: Reflected Cross-Site Scripting (Reflected XSS) CVSS Score: 6.1 (Medium) Description: In the WordPress plugin "Appointment Booking Calendar — Simply Schedule Appointments," the and parameters of the endpoint lack proper input validation. Attackers can inject malicious JavaScript code, causing it to execute in the victim's browser. 2. Scope of Impact Plugin Name: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Affected Versions: <= 1.6.8.3 3. Proof of Concept (POC) 4. Remediation In version 1.6.8.5, the developer implemented a new sanitization function . This function uses stricter regular expressions to validate color values (hexadecimal or RGBA) and returns if the input is invalid, thereby preventing malicious code injection. 5. Key Code Snippets Vulnerable Code ( function in ): Fixed Code (New function): Post-Fix Call Logic:

Goal Reached Thanks to every supporter — we hit 100%!

Reflected XSS in Simply Schedule Appointments WordPress Plugin (CVE-2024-13431)