How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Amelia < 1.0.47 - Unauthenticated Stored XSS via lastName

Description

The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into.

Affects Plugins

Fixed in version 1.0.47

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0834

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Vinay Kumar from Trellix

Verified

Yes

WPVDB ID

0107553b-4038-4e86-a869-86665c8bcba9

Timeline

Publicly Published

2022-03-02 (about 5 months ago)

Added

2022-03-02 (about 5 months ago)

Last Updated

2022-04-08 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin