## https://sploitus.com/exploit?id=WPEX-ID:E922B788-7DA5-43B4-9B05-839C8610252A
When booking an appointment, either as unauthenticated or any authenticated user, put the following payload in the First Name field: test" onfocus=alert('XSS')
The payload will be triggered when an admin will access the appointment via the 'Calendar' page
Edit (WPScanTeam): Payload w/o user interaction other than accessing the calendar page: " style="animation-name:rotation" onanimationstart="alert(/XSS/)//