CVE-2025-1119
Published: 13 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-1119 is an arbitrary shortcode execution vulnerability in the Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin for WordPress, affecting all versions up to and including 1.6.8.5. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to invoking the do_shortcode function, enabling unauthenticated attackers to run arbitrary shortcodes. Published on 2025-03-13, it carries a CVSS v3.1 base score of 7.3 and is associated with CWE-94 (Improper Control of Generation of Code).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction and maintaining an unchanged scope. Exploitation allows attackers to execute arbitrary shortcodes, resulting in low impacts to confidentiality, integrity, and availability.
Advisories and references, including those from Wordfence and a plugin developer's blog, detail the vulnerability, while a patch appears in WordPress plugins trac changeset 3250719, modifying the page-appointment-edit.php file in the plugin trunk to address the validation flaw.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability directly enables remote exploitation of a public-facing WordPress application through unauthenticated arbitrary shortcode execution via improper input validation before do_shortcode.