CVE-2020-9372

HIGH

Appointment Booking Calendar < 1.3.35 - CSV Injection via Booking Form Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9372. PoCs published by Daniel Monzón.

AI-analyzed exploit summary This exploit demonstrates a CSV injection vulnerability in WordPress Plugin Appointment Booking Calendar 1.3.34, allowing an attacker to inject malicious hyperlinks into exported CSV files. It also includes a stored XSS vulnerability via the Calendar Name field.

Description

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Exploits (1)

exploitdb WORKING POC
by Daniel Monzón · textwebappsphp
https://www.exploit-db.com/exploits/48204

This exploit demonstrates a CSV injection vulnerability in WordPress Plugin Appointment Booking Calendar 1.3.34, allowing an attacker to inject malicious hyperlinks into exported CSV files. It also includes a stored XSS vulnerability via the Calendar Name field.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin Appointment Booking Calendar 1.3.34
Auth required
Prerequisites: Access to WordPress admin panel · Appointment Booking Calendar plugin installed and activated
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/appointment-booking-calendar/#developers
Exploit, Third Party Advisory x_refsource_misc
https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
Permissions Required x_refsource_misc
https://www.hotdreamweaver.com/support/view.php?id=815925

Scores

CVSS v3 7.8
EPSS 0.0861
EPSS Percentile 94.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-1236
Status published
Products (1)
codepeople/appointment_booking_calendar < 1.3.35
Published Mar 04, 2020
Tracked Since Feb 18, 2026