Appointment Hour Booking < 1.3.73 – Unauthenticated iFrame Injection | CVE 2022-4035 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the email and general field parameters, which could allow unauthenticated users to perform iFrame injection attack

Proof of Concept

As an unauthenticated user, submit a booking and put an iFrame payload in the email/general field parameter

The iFrame will be executed when a user access the injected booking page

Affects Plugins

appointment-hour-booking

Fixed in 1.3.73

References

CVE

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Luca Greeb, Andreas Krüger

Verified

No

WPVDB ID

68dc41f0-934c-4008-a834-5e92627c6c71

Timeline

Publicly Published

2022-11-29 (about 3 years ago)

Added

2022-11-29 (about 3 years ago)

Last Updated

2022-11-29 (about 3 years ago)

Other

Published

Title

Published

2022-11-29

Title

Quiz and Survey Master < 8.0.5 - Unauthenticated iFrame Injection

Published

2024-02-23

Title

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-12-16

Title

Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS < 0.0.22 - Reflected Cross-Site Scripting via page Parameter

Published

2025-10-14

Title

WPBakery Page Builder < 8.7 - Stored Cross-Site Scripting via Custom JS Module

Published

2024-11-12

Title

WP-Strava <= 2.12.1 - Authenticated (Administrator+) Stored Cross-Site Scripting