WordPress Plugin Vulnerabilities

Bus Ticket Booking with Seat Reservation < 5.2.4 - Reflected XSS

Description

The plugin does not sanitise and escape the tab_date and tab_date_r parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affects Plugins

Plugin icon
bus-ticket-booking-with-seat-reservation
Fixed in 5.2.4

References

CVE
CVE-2023-4067

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Vincenzo Turturro, Gianluca Parisi, Vincenzo Cantatore
Verified
No
WPVDB ID
0472a858-b7e2-44e4-9a50-3c55ade396ee

Timeline

Publicly Published
2023-08-01 (about 9 months ago)
Added
2023-08-02 (about 9 months ago)
Last Updated
2023-08-02 (about 9 months ago)

Other

Published
Title
Published
2015-01-01
Title
WP Responsive Preview - XSS
Published
2014-08-01
Title
Knews 1.1.0 - wysiwyg/fontpicker/index.php ff Parameter XSS
Published
2019-07-12
Title
Email Subscribers & Newsletters < 4.1.7 - Cross-Site Scripting (XSS)
Published
2024-05-01
Title
WP Video Lightbox < 1.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Published
2023-01-11
Title
GamiPress – Vimeo integration < 1.0.9 - Contributor+ Stored XSS