cleantalk
Vulnerabilities and Security Researches

Easy Appointments, CVE-2024-2842

CVE, Research URL

CVE-2024-2842

Home page URL

Security reports for Easy Appointments

Application

Easy Appointments

Published on
Mar 29, 2024
Research Description
The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calendar' shortcode in all versions up to, and including, 3.11.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.11.19.
Status
vulnerable
Previous vulnerability researches
Easy Appointments (CVE-2023-30748) , Jun 10, 2024
Easy Appointments (CVE-2022-4668) , Jun 07, 2024
Easy Appointments (CVE-2022-36424) , Jun 07, 2024
Easy Appointments (CVE-2024-2842) , Jun 07, 2024
Easy Appointments (CVE-2024-2844) , Jun 07, 2024
New vulnerability
Greenshift – animation and page builder blocks (CVE-2025-11841) , Nov 11, 2025
Range Slider AddOn for Gravity Forms (CVE-2025-49905) , Nov 11, 2025
YOP Poll (CVE-2025-62040) , Nov 11, 2025
Insert Headers and Footers Code – HT Script (CVE-2025-12112) , Nov 11, 2025
Easy Appointments (CVE-2025-49398) , Nov 11, 2025