WordPress Plugin Vulnerabilities

Appointment Hour Booking <= 1.1.45 - Stored Cross-Site Scripting (XSS)

Description

It is possible for an unauthenticated user to inject malicious JavaScript into a booking form, which will then be executed when an authenticated user views the booking in the WordPress admin interface.

Proof of Concept

Affects Plugins

Plugin icon
appointment-hour-booking
Fixed in 1.1.46

References

CVE
CVE-2019-13505
URL
https://github.com/ivoschyk-cs/CVE-s/blob/master/Appointment%20Hour%20Booking%20%E2%80%93%20WordPress%20Booking%20Plugin%20--%20stored%20XSS
URL
https://plugins.trac.wordpress.org/changeset/2121664/appointment-hour-booking
URL
https://plugins.trac.wordpress.org/changeset/2122311/appointment-hour-booking

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
ivoschyk-cs
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
49b6ff20-83c7-4950-ad2f-ba6a7d75c851

Timeline

Publicly Published
2019-07-09 (about 6 years ago)
Added
2019-07-16 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-04-24
Title
Able Player, accessible HTML5 media player < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter
Published
2024-11-25
Title
Multiple Plugins from CreativeMindsSolutions - Reflected XSS
Published
2021-11-09
Title
Get Custom Field Values < 4.0.1 - Contributor+ Stored Cross-Site Scripting
Published
2022-07-28
Title
VR Calendar < 2.3.1 - Reflected Cross-Site Scripting
Published
2024-12-13
Title
Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting