WordPress Plugin Vulnerabilities

Easy Appointments < 3.11.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calendar' shortcode in all versions up to, and including, 3.11.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
easy-appointments
Fixed in 3.11.19

References

CVE
CVE-2024-2842
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9e1514c8-3752-4d0a-87a3-3f245a7cb914

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
84b7ffb4-b7a6-4979-87a6-a46db39b6a30

Timeline

Publicly Published
2024-03-28 (about 1 months ago)
Added
2024-03-28 (about 1 months ago)
Last Updated
2024-03-28 (about 1 months ago)

Other

Published
Title
Published
2024-05-03
Title
Testimonial Slider < 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2017-03-01
Title
User Login Log - Stored Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Social Connect 0.10.1 - diagnostics/test.php testing Parameter Reflected XSS
Published
2023-11-06
Title
Ziteboard Online Whiteboard < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode
Published
2021-11-12
Title
GRAND FlaGallery <= 6.1.2 - Admin+ Stored Cross-Site Scripting