{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0862", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-29T21:23:56.432Z", "datePublished": "2025-02-11T11:10:02.971Z", "dateUpdated": "2026-04-08T17:04:50.367Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:50.367Z"}, "affected": [{"vendor": "supersaas", "product": "SuperSaaS \u2013 online appointment scheduling", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SuperSaaS \u2013 online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018after\u2019 parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave)."}], "title": "SuperSaaS \u2013 online appointment scheduling <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via after Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8698255b-6c03-464b-8cb5-191d3e77009f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L15"}, {"url": "https://plugins.trac.wordpress.org/changeset/3235242/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-02-10T22:06:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-11T14:39:59.805479Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:51:43.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0862", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-11T14:39:59.805479Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:46:47.731Z"}}], "cna": {"title": "SuperSaaS \u2013 online appointment scheduling <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via after Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "supersaas", "product": "SuperSaaS \u2013 online appointment scheduling", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-10T22:06:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8698255b-6c03-464b-8cb5-191d3e77009f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L15"}, {"url": "https://plugins.trac.wordpress.org/changeset/3235242/"}], "descriptions": [{"lang": "en", "value": "The SuperSaaS \u2013 online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018after\u2019 parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:50.367Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0862", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:50.367Z", "dateReserved": "2025-01-29T21:23:56.432Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-11T11:10:02.971Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SuperSaaS \u2013 online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018after\u2019 parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave)."}, {"lang": "es", "value": "El complemento SuperSaaS \u2013 online appointment scheduling para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro \"after\" en todas las versiones hasta la 2.1.12 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto se limita a los navegadores basados en Chromium (por ejemplo, Chrome, Edge, Brave)."}], "id": "CVE-2025-0862", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-02-11T11:15:16.043", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L15"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/supersaas-appointment-scheduling/tags/2.1.12/includes/shortcode.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3235242/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8698255b-6c03-464b-8cb5-191d3e77009f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:30:13.848072+00:00", "value": {"mitigation_remediation": ["Upgrade the SuperSaaS plugin to a version that sanitizes the \u2018after\u2019 parameter (2.1.13 or later).", "Restrict or remove Contributor\u2011level access to the ability to edit or inject content that uses the \u2018after\u2019 parameter.", "Deploy a web application firewall rule or a Content\u2011Security\u2011Policy header that blocks or neutralizes user\u2011supplied JavaScript in the plugin\u2019s shortcodes."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting with Contributor\u2011level access"}, "threat_synthesis": {"affected_systems": "All installations of the SuperSaaS \u2013 online appointment scheduling WordPress plugin in releases up to and including version 2.1.12 are affected. Any site running those versions and granting Contributor or higher privileges can be used to inject malicious scripts via the vulnerable parameter.", "description_and_impact": "The SuperSaaS \u2013 online appointment scheduling plugin for WordPress is vulnerable to stored Cross\u2011Site Scripting because the \u2018after\u2019 parameter is not properly sanitized or escaped. An authenticated attacker with Contributor access can inject arbitrary JavaScript that will execute whenever any user views a page containing the injected content, allowing for actions such as cookie theft, session hijacking, or phishing attacks. The flaw is limited to Chromium\u2011based browsers such as Chrome, Edge, and Brave, but once injected it persists in the stored content and can impact every user that later views the affected page.", "risk_and_exploitability": "With a CVSS base score of 4.9 the flaw is considered moderate severity. The EPSS score of less than 1% signals a very low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog, and the required conditions of authenticated Contributor privileges and usage of a Chromium browser reduce the attack surface. Nevertheless, the persistent nature of the stored XSS means that any user who later views the content can be compromised."}}}}, "created": "2026-04-22T13:30:17.931592+00:00", "updated": "2026-04-22T13:30:17.931602+00:00", "vendors": []}