PT-2026-5060 · WordPress · Appointment Hour Booking – Booking Calendar
Azhar Lockwood
·
Published
2026-01-28
·
Updated
2026-01-28
·
CVE-2026-1083
CVSS v3.1
4.4
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Appointment Hour Booking – Booking Calendar plugin for WordPress versions prior to 1.5.61
Description
The Appointment Hour Booking – Booking Calendar plugin for WordPress is susceptible to Stored Cross-Site Scripting through form field configuration parameters. Insufficient input sanitization and output escaping on the ‘Min length/characters’ and ‘Max length/characters’ field configuration values allow authenticated attackers with administrator-level access or higher to inject arbitrary web scripts. These scripts execute when users access the form builder interface. This issue specifically impacts multi-site installations and those where unfiltered html has been disabled.
Recommendations
Update to version 1.5.61 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Appointment Hour Booking – Booking Calendar