Car Rental System <= 1.3 – Unauthenticated Stored Cross-Site Scripting (XSS) | CVE 2020-15535 | Plugin Vulnerabilities

Description

An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the booking-list and cust-lookup pages.

Proof of Concept

Inject XSS via most fields in the booking form, which will then be executed on the booking-list and cust-lookup admin pages, when viewed by an authenticated administrator.

Affects Plugins

No known fix

References

CVE

URL

https://packetstormsecurity.com/files/#157118/

URL

https://codecanyon.net/item/car-rental-system-wordpress-plugin/4239755

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

@ThelastVvV

Verified

No

WPVDB ID

583fcc39-1a56-4bdd-a02f-0bbf4fb9849e

Timeline

Publicly Published

2020-04-05 (about 6 years ago)

Added

2020-04-09 (about 6 years ago)

Last Updated

2020-07-06 (about 5 years ago)

Other

Published

Title

Published

2026-01-05

Title

MediaPress < 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode

Published

2019-09-16

Title

Poll, Survey, Form & Quiz Maker by OpinionStage < 19.6.25 - Unauthenticated Cross-Site Scripting (XSS)

Published

2025-03-03

Title

Slider by 10Web < 1.2.62 - Contributor+ Stored XSS

Published

2024-12-17

Title

Custom Dashboard Widget <= 1.0.0 - Reflected Cross-Site Scripting

Published

2024-07-10

Title

AdPush <= 1.50 - Reflected Cross-Site Scripting