PatchSiren cyber security CVE debrief
CVE-2026-39447 NSquared CVE debrief
A high-severity Unauthenticated Cross Site Scripting (XSS) vulnerability was discovered in Simply Schedule Appointments plugin versions <= 1.6.10.6. The vulnerability has a CVSS score of 7.1 and is considered HIGH. It allows unauthenticated attackers to inject malicious scripts into the application.
- Vendor
- NSquared
- Product
- Simply Schedule Appointments
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Simply Schedule Appointments plugin versions <= 1.6.10.6 should apply the necessary patches to prevent exploitation.
Technical summary
The vulnerability is caused by a lack of proper input validation and sanitization in the Simply Schedule Appointments plugin. This allows unauthenticated attackers to inject malicious scripts into the application, potentially leading to sensitive information disclosure or other malicious activities.
Defensive priority
HIGH
Recommended defensive actions
- Apply the latest patch or update to Simply Schedule Appointments plugin version > 1.6.10.6
- Review and restrict user input to prevent malicious script injection
Evidence notes
Evidence of this vulnerability was provided by Patchstack, a reputable security research firm.
Official resources
-
CVE-2026-39447 CVE record
CVE.org
-
CVE-2026-39447 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39447 was published on 2026-06-15T21:16:42.880Z and modified on 2026-06-15T21:24:32.790Z.