Booking Calendar < 9.7.3.1 – Unauthenticated Stored XSS | CVE 2023-4620 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators

Proof of Concept

As an unauthenticated user, submit a booking form (such form can be added via the Booking Calendar Block on a page/post) with the payload below in the First or Last Name field:

"><img src=1 onerror="javascript:alert(document.cookie)"></img>

Which is the HTML encoded of ><img src=1 onerror="javascript:alert(document.cookie)"></img>


The XSS will be triggered when an admin will access the calendar overview dashboard (ie /wp-admin/admin.php?page=wpbc&view_days_num=90&view_mode=vm_calendar)

Affects Plugins

Fixed in 9.7.3.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Pablo Sanchez

Submitter

Pablo Sanchez

Verified

Yes

WPVDB ID

084e9494-2f9e-4420-9bf7-78a1a41433d7

Timeline

Publicly Published

2023-09-11 (about 8 months ago)

Added

2023-09-11 (about 8 months ago)

Last Updated

2023-09-11 (about 8 months ago)

Other

Published

Title

Published

2023-07-18

Title

Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting

Published

2015-07-23

Title

Flash Player Plugin <= 1.3 - Multiple Cross-Site Scripting (XSS)

Published

2022-09-06

Title

Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS

Published

2019-05-08

Title

Custom Field Suite <= 2.5.14 - Authenticated Cross-Site Scripting (XSS)

Published

2024-01-03

Title

Wp-Adv-Quiz <= 1.0.4 - Admin+ Stored XSS in Quiz Overview