CVE-2020-9372

Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar plugin versions prior to 1.3.35

Description The issue allows user input in fields such as Description or Name in any booking form to be any formula. This input could then be exported via the Bookings list tab in "/wp-admin/admin.php?page=cpabc appointments.php", potentially leading to remote code execution via CSV injection.

Recommendations For versions prior to 1.3.35, update to version 1.3.35 or later to resolve the issue. As a temporary workaround, consider restricting user input in booking forms to prevent the use of malicious formulas until a patch is applied. Avoid using the "/wp-admin/admin.php?page=cpabc appointments.php" endpoint for exporting bookings from untrusted sources until the issue is resolved.