WordPress Plugin Vulnerabilities

Booking Ultra Pro < 1.1.7 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
booking-ultra-pro
Fixed in 1.1.7

References

CVE
CVE-2023-32601

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Badromance 1337
Verified
No
WPVDB ID
854f79a6-4feb-4445-ae64-b990fe24db53

Timeline

Publicly Published
2023-05-12 (about 1 years ago)
Added
2023-08-24 (about 8 months ago)
Last Updated
2023-08-24 (about 8 months ago)

Other

Published
Title
Published
2020-09-06
Title
Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Published
2023-04-17
Title
WP Popups < 2.1.5.1 - Contributor+ Stored XSS
Published
2023-11-06
Title
Garden Gnome Package < 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2014-08-01
Title
Events Calendar - wp-admin/admin.php EC_id Parameter XSS
Published
2022-12-09
Title
Superio - Job Board < 1.2.33 - Subscriber+ Stored Cross-Site Scripting