Azhar Lockwood

**Name of the Vulnerable Software and Affected Versions** Appointment Hour Booking – Booking Calendar plugin for WordPress versions prior to 1.5.61 **Description** The Appointment Hour Booking – Booking Calendar plugin for WordPress is susceptible to Stored Cross-Site Scripting through form field configuration parameters. Insufficient input sanitization and output escaping on the ‘Min length/characters’ and ‘Max length/characters’ field configuration values allow authenticated attackers with administrator-level access or higher to inject arbitrary web scripts. These scripts execute when users access the form builder interface. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled. **Recommendations** Update to version 1.5.61 or later.