CVE-2026-1856
medium
📛 Threat Title
Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label
Description
The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Affected software — plugin: Creavi Appointment Booking Calendar (affected: *-1.4.4). CVSS 6.4 (Medium) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.
Remediations (3)
-
Wordfence remediation: Creavi Appointment Booking CalendarWordfence
Update to version 1.4.5, or a newer patched version
-
Wordfence remediation: Creavi Appointment Booking CalendarWordfence
Update to version 1.4.5, or a newer patched version
-
Wordfence remediation: Creavi Appointment Booking CalendarWordfence
Update to version 1.4.5, or a newer patched version
Indicators of Compromise (1)
Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.
cve
CVE-2026-1856
IOC database
- Type
- cve
- Value
CVE-2026-1856- First seen
- Last seen
- Attached to this threat
- Appears in
- 1 threat
- Description
- Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Details From VirusTotal
No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.
References (3)
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.