VikBooking Hotel Booking Engine & PMS < 1.5.8 – Admin+ Stored Cross-Site Scripting | CVE 2022-1408 | Plugin Vulnerabilities

Description

The plugin does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

v < 1.5.7

Add/edit a custom field (/wp-admin/admin.php?option=com_vikbooking&task=customf) and put the following payload in the Field Name or Popup Link fields: "autofocus/onfocus=alert(/XSS/)//

The XSS will be triggered when editing the Custom Field again

v < 1.5.8
Add the following payload in the Admin Email settings (at /wp-admin/admin.php?option=com_vikbooking&task=config): "autofocus/onfocus=alert(/XSS/)//

Other settings were also affected

Affects Plugins

Fixed in 1.5.8

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

gabriel3476

Submitter

gabriel3476

Submitter website

https://github.com/Gabriel3476/

Verified

Yes

WPVDB ID

48dccf4c-07e0-4877-867d-f8f43aeb5705

Timeline

Publicly Published

2022-04-21 (about 3 years ago)

Added

2022-04-21 (about 3 years ago)

Last Updated

2022-04-22 (about 3 years ago)

Other

Published

Title

Published

2024-11-28

Title

WP MathJax <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-07-12

Title

Newsmag < 5.0 - Unauthenticated Reflected Cross-site Scripting (XSS)

Published

2021-04-19

Title

Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)

Published

2024-11-29

Title

MaxButtons < 9.8.1 - Admin+ Stored XSS via Text Color

Published

2024-01-31

Title

Beds24 Online Booking < 2.0.24 - Authenticated(Administrator+) Stored Cross-Site Scripting