WordPress Plugin Vulnerabilities

Booking Ultra Pro < 1.1.7 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF check in some places, and does not sanitise as well as escape parameters, which could allow attackers to make logged in users put Stored XSS payloads via CSRF attacks

Affects Plugins

Plugin icon
booking-ultra-pro
Fixed in 1.1.7

References

CVE
CVE-2021-36855

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ngo Van Thien
Verified
No
WPVDB ID
4986182c-f577-4ec4-b65d-883a15f52633

Timeline

Publicly Published
2022-09-28 (about 3 years ago)
Added
2022-10-01 (about 3 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2025-03-28
Title
OmniLeads Scripts and Tags Manager <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-05-27
Title
Admin Management Xtended < 2.4.5 - Multiple CSRF
Published
2024-12-11
Title
Insertify <= 1.1.4 - Cross-Site Request Forgery to Remote Code Execution
Published
2021-11-18
Title
Easy Registration Forms <= 2.1.1 - CSRF to Stored Cross-Site Scripting
Published
2024-04-10
Title
USPS Shipping for WooCommerce – Live Rates < 1.9.3 - Cross-Site Request Forgery