WordPress Plugin Vulnerabilities

Pinpoint Booking System < 2.9.9.5.8 - Stored XSS via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
booking-system
Fixed in 2.9.9.5.8

References

CVE
CVE-2024-49304
URL
https://patchstack.com/database/wordpress/plugin/booking-system/vulnerability/wordpress-pinpoint-booking-system-plugin-2-9-9-5-1-cross-site-scripting-xss-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
38b444e8-33b3-4dfe-8dfe-be428359112f

Timeline

Publicly Published
2024-10-15 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2025-09-20 (about 8 months ago)

Other

Published
Title
Published
2023-11-16
Title
WP Meta and Date Remover < 2.3.1 - Cross-Site Request Forgery via updateSettings
Published
2025-09-26
Title
Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms <= 1.0 - Cross-Site Request Forgery
Published
2022-05-30
Title
Amazon Einzeltitellinks <= 1.3.3 - Arbitrary Settings Update to Stored XSS via CSRF
Published
2023-03-30
Title
Swatchly – WooCommerce Variation Swatches for Products < 1.2.1 - Cross-Site Request Forgery
Published
2025-02-18
Title
Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block