{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9851", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T15:08:00.900Z", "datePublished": "2025-09-17T01:49:15.904Z", "dateUpdated": "2026-04-08T16:57:54.335Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:54.335Z"}, "affected": [{"vendor": "gentlesource", "product": "Appointmind", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Appointmind <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65d965ac-66ae-4c23-b9c2-335b93a140d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3359404%40appointmind&new=3359404%40appointmind&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-09-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T13:10:46.804802Z", "id": "CVE-2025-9851", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:10:52.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9851", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-17T13:10:46.804802Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T13:10:49.724Z"}}], "cna": {"title": "Appointmind <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gentlesource", "product": "Appointmind", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65d965ac-66ae-4c23-b9c2-335b93a140d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3359404%40appointmind&new=3359404%40appointmind&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:54.335Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9851", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:54.335Z", "dateReserved": "2025-09-02T15:08:00.900Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-17T01:49:15.904Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Appointmind para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode 'appointmind_calendar' del plugin en todas las versiones hasta la 4.1.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-9851", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-17T02:15:33.830", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3359404%40appointmind&new=3359404%40appointmind&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65d965ac-66ae-4c23-b9c2-335b93a140d9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:54:21.301152+00:00", "value": {"mitigation_remediation": ["Update Appointmind to the latest patched version (\u22654.2.0). If a newer version is unavailable, uninstall or disable the plugin entirely.", "Restrict the use of the appointmind_calendar shortcode to administrator accounts only, or remove all instances of the shortcode from existing content.", "Implement a site\u2011wide Content Security Policy that blocks inline scripts and limits script sources.", "Apply input sanitization and proper output escaping for the shortcode attributes as a temporary fix, ensuring that only allowed characters are accepted."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed Appointmind plugin version 4.1.0 or earlier. The vulnerability affects all releases up to and including 4.1.0 and impacts any site using the appointmind_calendar shortcode through any contributor\u2011level role.", "description_and_impact": "The Appointmind WordPress plugin exposes a stored cross\u2011site scripting flaw through its appointmind_calendar shortcode. The plugin fails to sanitize or escape user\u2011supplied attributes, allowing an attacker who can create or edit content with contributor or higher privileges to embed malicious JavaScript. When another user visits a page that includes the compromised shortcode, the attacker\u2011supplied script is executed in the victim\u2019s browser, enabling the theft of session data or site defacement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1 % implies that exploitation is currently unlikely and the flaw is not listed in CISA\u2019s KEV catalog. Attackers must be authenticated with at least contributor level, so the vulnerability is an authenticated stored XSS that can be triggered by injecting script into the shortcode, after which the payload runs for any user who views the affected page, threatening user confidentiality and site integrity."}}}}, "created": "2025-09-17T10:52:02.132527+00:00", "updated": "2026-04-21T03:00:06.378557+00:00", "vendors": ["appointmind", "appointmind$PRODUCT$appointmind", "wordpress", "wordpress$PRODUCT$wordpress"]}