CVE-2024-7877: 
WordPress vulnerability analysis and mitigation

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before version 1.6.7.55 contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly published on October 15, 2024, and was assigned CVE-2024-7877. This security issue affects WordPress installations using the Simply Schedule Appointments plugin versions prior to 1.6.7.55 (NVD, WPScan).

The vulnerability stems from improper sanitization and escaping of Notification settings within the plugin. The issue has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability can be exploited even when the unfiltered_html capability is disallowed (NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks. The impact is considered medium severity, with potential for limited confidentiality and integrity breaches, though no availability impact has been identified (NVD).

The vulnerability has been patched in version 1.6.7.55 of the Simply Schedule Appointments plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).