WordPress Plugin Vulnerabilities

WP Time Slots Booking Form < 1.1.82 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-time-slots-booking-form
Fixed in 1.1.82

References

CVE
CVE-2023-23971

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
7196288b-0563-4366-8c2c-aed7bd0cf6f6

Timeline

Publicly Published
2023-01-20 (about 3 years ago)
Added
2023-04-06 (about 2 years ago)
Last Updated
2023-04-06 (about 2 years ago)

Other

Published
Title
Published
2023-02-20
Title
Ditty < 3.0.33 - Contributor+ Stored XSS
Published
2024-07-15
Title
BSK PDF Manager < 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-02
Title
LuckyWP Table of Contents < 2.1.11 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
Published
2025-01-03
Title
Wp advertising management <= 1.0.3 - Reflected Cross-Site Scripting
Published
2024-05-02
Title
Pet Manager <= 1.4 - Contributor+ Stored XSS