CVE-2020-9371: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Appointment Booking Calendar WordPress plugin versions before 1.3.35. The vulnerability exists in the cpabc_appointments.php file, where the Calendar Name input field could allow attackers to inject arbitrary JavaScript or HTML code (CVE Mitre, NVD).

The vulnerability is classified as a stored XSS issue (CWE-79) affecting the Calendar Name input field in the cpabc_appointments.php file. The CVSS v3.1 base score is 4.8 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires high privileges and user interaction to exploit, with the potential to affect confidentiality and integrity at a low level (NVD).

If successfully exploited, the vulnerability allows attackers with administrative access to inject malicious JavaScript or HTML code through the Calendar Name input field. This injected code would be stored in the database and executed when other users view the affected calendar (AttackerKB).

The vulnerability has been patched in version 1.3.35 of the Appointment Booking Calendar plugin. Users should update to this version or later to mitigate the risk. The update includes additional sanitization and new hooks to prevent XSS attacks (WordPress Plugin).