WordPress Plugin Vulnerabilities

Appointment Booking Calendar < 1.3.19 - Unauthenticated Stored XSS

Description

Lack of authorisation check in the cpabc_appointments_save_edition() function can lead to stored XSS via the editionarea parameter when cfwpp_edit is set to 'js' or 'css'

Proof of Concept

Affects Plugins

Plugin icon
appointment-booking-calendar
Fixed in 1.3.19

References

CVE
CVE-2019-14791
URL
https://plugins.trac.wordpress.org/changeset?reponame=&new=2117259%40appointment-booking-calendar&old=2112885%40appointment-booking-calendar

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.5 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
2f204527-d11b-4b7a-8a57-95dbb8e69d6d

Timeline

Publicly Published
2019-07-04 (about 6 years ago)
Added
2019-07-05 (about 6 years ago)
Last Updated
2020-08-10 (about 5 years ago)

Other

Published
Title
Published
2022-01-19
Title
WOOCS < 1.3.7.5 - Reflected Cross-Site Scripting
Published
2015-05-06
Title
ClickBank Affiliate Ads < 1.35 - Admin+ Stored Cross-Site Scripting
Published
2014-08-01
Title
Wordpress 3.0.3 - Stored XSS
Published
2024-09-04
Title
RD Station < 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-27
Title
Starter Templates < 4.4.1 - Author+ Stored XSS