WordPress · Book Appointment Online · CVE-2021-24614
**Name of the Vulnerable Software and Affected Versions**
Book appointment online WordPress plugin versions prior to 1.39
**Description**
The issue concerns the lack of sanitization or escaping of Service Prices in the List output, potentially allowing high-privilege users to perform Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed.
**Recommendations**
For versions prior to 1.39, update to version 1.39 or later to resolve the issue. As a temporary workaround, consider restricting the capability to edit Service Prices to trusted users only, until a patch is applied.