How is CVE-2026-39447 exploited?

Network reachability (required): The attacker must reach the affected WordPress installation over the network to deliver the malicious payload. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated external party. Victim interaction (required): A victim (typically a logged-in WordPress user or administrator) must interact with a crafted link or page for the injected script to execute in their browser. Attack complexity (info): Exploit complexity is low, meaning no special conditions, race windows, or environmental factors need to align for the attack to succeed.

What is the impact of CVE-2026-39447?

An attacker can execute arbitrary JavaScript in the victim's browser session, reading session cookies and authentication tokens associated with the WordPress site. Injected script can modify page content visible to the victim, including form fields, enabling credential harvesting. With scope change (S:C in the CVSS vector), the impact extends beyond the vulnerable component and can affect the broader browser origin, including other scripts or frames running in the same context. Availability is rated as low-impact, meaning the injected payload can cause limited disruption to the page or user session, such as breaking UI elements or forcing logouts.

Back to search

HIGHCVE-2026-39447Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39447: WordPress Simply Schedule Appointments plugin <= 1.6.10.6 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-39447?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Simply Schedule Appointments WordPress plugin by NSquared, affecting all versions up to and including 1.6.10.6. The flaw is reachable over the network with no authentication required, but a victim must interact with a crafted link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, page content manipulation, and in some configurations lateral movement within the WordPress admin panel. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-39447 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the Simply Schedule Appointments WordPress plugin by NSquared, affecting all versions up to and including 1.6.10.6. The flaw is reachable over the network with no authentication required, but a victim must interact with a crafted link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session hijacking, credential theft, page content manipulation, and in some configurations lateral movement within the WordPress admin panel. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39447 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against customer images and pipeline builds, including custom-built images that bundle the Simply Schedule Appointments plugin.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.1 (HIGH), weighted against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected WordPress installation over the network to deliver the malicious payload.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated external party.
Victim interactionRequired
A victim (typically a logged-in WordPress user or administrator) must interact with a crafted link or page for the injected script to execute in their browser.
Attack complexityDetail
Exploit complexity is low, meaning no special conditions, race windows, or environmental factors need to align for the attack to succeed.

Blast Radius

An attacker can execute arbitrary JavaScript in the victim's browser session, reading session cookies and authentication tokens associated with the WordPress site.
Injected script can modify page content visible to the victim, including form fields, enabling credential harvesting.
With scope change (S:C in the CVSS vector), the impact extends beyond the vulnerable component and can affect the broader browser origin, including other scripts or frames running in the same context.
Availability is rated as low-impact, meaning the injected payload can cause limited disruption to the page or user session, such as breaking UI elements or forcing logouts.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no fix version currently published upstream. Every ingest cycle, HarborGuard re-checks the Patchstack advisory and NSquared release feed for a remediated version of Simply Schedule Appointments. The moment a patched release appears, a rebuilt image at that version becomes available; for customers with auto-remediation enabled, this triggers a full rebuild, regression test run, and a PR opened against any affected workloads without requiring manual action. In the interim, compensating controls worth considering include network-policy isolation to restrict which services can load or embed the WordPress instance, egress filtering on containers running WordPress to limit the reach of any injected script callbacks, and disabling or removing the Simply Schedule Appointments plugin from images where scheduling functionality is not required. The HIGH severity rating (7.1) ensures this finding is surfaced prominently in compliance-policy-weighted triage queues.

See how HarborGuard automates this

Affected packages

NSquared / Simply Schedule Appointments
≤ 1.6.10.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified