Cyber Resilience

CVE-2024-7129

HighPublic PoC

Published: 13 September 2024

Published
13 September 2024
Modified
15 September 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1293 94.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7129 is a high-severity an unspecified weakness vulnerability in Nsqua Simply Schedule Appointments. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Appointment Booking Calendar WordPress plugin before version 1.6.7.43 is affected by a Twig template injection vulnerability. The root cause is a failure to escape template syntax supplied through user input, which can be escalated to remote code execution.

High-privilege users such as site administrators can supply malicious template directives to execute arbitrary code on the server. The issue carries a CVSS 3.1 score of 7.2 reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.

The vulnerability is tracked in a WPScan advisory that identifies the affected plugin versions and the fixed release.

EPSS reached a peak of 0.1559 after disclosure, indicating emerging exploitation interest that warrants renewed attention despite the requirement for administrative access.

EU & UK References

Vulnerability details

The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nsqua
simply schedule appointments
≤ 1.6.7.43

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References