WordPress Plugin Vulnerabilities

Appointment Hour Booking < 1.3.16 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create a new Calendar (Appointment Hour Booking > Add new)
Put the following payload in the Form Settings > "Form Name" and "Description" fields: <img src onerror=alert(/XSS/)>
Click the "Save Changed and Return" button

The XSS will be triggered
- When editing the calendar again in the admin dashboard
- In posts/page where the calendar is embed

Affects Plugins

Plugin icon
appointment-hour-booking
Fixed in 1.3.16

References

CVE
CVE-2021-24673
URL
https://www.hackpertise.com/cve/14-cve-2021-24673/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
75a67932-d831-4dfb-a70d-a07650eaa755

Timeline

Publicly Published
2021-09-06 (about 2 years ago)
Added
2021-09-06 (about 2 years ago)
Last Updated
2023-04-12 (about 1 years ago)

Other

Published
Title
Published
2024-02-02
Title
CalculatorPro Calculators <= 1.1.7 - Reflected Cross-Site Scripting via CP_preview_calc
Published
2016-05-02
Title
bbPress <= 2.5.8 - Stored Cross-Site Scripting (XSS)
Published
2021-08-11
Title
Per Page Add to Head <= 1.4.4 - Authenticated Stored XSS
Published
2023-02-24
Title
asMember <= 1.5.4 - Admin+ Stored XSS
Published
2020-06-25
Title
Coming Soon Page, Under Construction & Maintenance Mode by SeedProd < 5.1.2 - Authenticated Stored Cross Site Scripting (XSS)