CVE-2024-13431: 
WordPress vulnerability analysis and mitigation

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-13431) discovered in March 2025. The vulnerability affects all versions up to and including 1.6.8.3, with the issue stemming from insufficient input sanitization and output escaping in the accent_color and background parameters (NVD CVE).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD CVE).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This can lead to potential compromise of user data and session information (NVD CVE).

A patch has been released to address this vulnerability. Users are advised to update their Appointment Booking Calendar — Simply Schedule Appointments plugin to a version newer than 1.6.8.3 (WordPress Plugin).