WordPress Plugin Vulnerabilities
Booking Calendar < 9.7.3.1 - Unauthenticated Stored XSS
Description
The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators
Proof of Concept
As an unauthenticated user, submit a booking form (such form can be added via the Booking Calendar Block on a page/post) with the payload below in the First or Last Name field: "><img src=1 onerror="javascript:alert(document.cookie)"></img> Which is the HTML encoded of ><img src=1 onerror="javascript:alert(document.cookie)"></img> The XSS will be triggered when an admin will access the calendar overview dashboard (ie /wp-admin/admin.php?page=wpbc&view_days_num=90&view_mode=vm_calendar)
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Pablo Sanchez
Submitter
Pablo Sanchez
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-11 (about 8 months ago)
Added
2023-09-11 (about 8 months ago)
Last Updated
2023-09-11 (about 8 months ago)