Amelia < 1.0.47 – Unauthenticated Stored XSS via lastName | CVE 2022-0834 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into.

Affects Plugins

Fixed in 1.0.47

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0834

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vinay Kumar from Trellix

Verified

Yes

WPVDB ID

0107553b-4038-4e86-a869-86665c8bcba9

Timeline

Publicly Published

2022-03-02 (about 3 years ago)

Added

2022-03-02 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-12-11

Title

NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-27

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.0 - Unauthenticated Stored Cross-Site Scripting

Published

2023-02-06

Title

Responsive Image Gallery, Gallery Album < 2.0.2 - Reflected XSS

Published

2022-11-03

Title

Beautiful Cookie Consent Banner < 2.9.1 - Admin+ Stored XSS

Published

2022-01-12

Title

PowerPack Lite for Beaver Builder < 1.2.9.3 - Reflected Cross-Site Scripting