VikBooking Hotel Booking Engine & PMS < 1.5.8 – Admin+ Stored Cross-Site Scripting | CVE 2022-1408 | Plugin Vulnerabilities

Description

The plugin does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

v < 1.5.7

Add/edit a custom field (/wp-admin/admin.php?option=com_vikbooking&task=customf) and put the following payload in the Field Name or Popup Link fields: "autofocus/onfocus=alert(/XSS/)//

The XSS will be triggered when editing the Custom Field again

v < 1.5.8
Add the following payload in the Admin Email settings (at /wp-admin/admin.php?option=com_vikbooking&task=config): "autofocus/onfocus=alert(/XSS/)//

Other settings were also affected

Affects Plugins

Fixed in 1.5.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

gabriel3476

Submitter

gabriel3476

Submitter website

https://github.com/Gabriel3476/

Verified

Yes

WPVDB ID

48dccf4c-07e0-4877-867d-f8f43aeb5705

Timeline

Publicly Published

2022-04-21 (about 2 years ago)

Added

2022-04-21 (about 2 years ago)

Last Updated

2022-04-22 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

NextGEN Gallery <= 1.9.0 - Multiple Cross-Site Scripting (XSS)

Published

2024-02-20

Title

Advanced Social Feeds Widget & Shortcode <= 1.7 - Admin+ Stored XSS

Published

2021-04-19

Title

Popup by Supsystic < 1.10.5 - Reflected Cross-Site scripting (XSS)

Published

2014-08-01

Title

BannerMan 0.2.4 - XSS in wp-admin/options-general.php via bannerman_background parameter

Published

2024-03-28

Title

Otter Blocks < 2.6.6 - Contributor+ Stored XSS