CVE-2025-9851: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-9851 affects the Appointmind plugin for WordPress versions up to and including 4.1.0. This security flaw was discovered and reported on September 16, 2025, by security researcher Peter Thaleikis. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that exists within the plugin's 'appointmind_calendar' shortcode functionality (NVD CVE, Wordfence Intel).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the 'appointmind_calendar' shortcode. It has been assigned CWE-79 (Improper Neutralization of Input During Web Page Generation) classification. The vulnerability received a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD CVE).