WordPress Plugin Vulnerabilities

WP Booking Calendar < 10.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Description

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 10.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. In addition, site administrators have the option to grant lower-level users with access to manage the plugin's settings which may extend this vulnerability to those users.

Affects Plugins

Plugin icon
booking
Fixed in 10.6.1

References

CVE
CVE-2024-9306
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/128d45ec-941c-414c-b341-9964dc748132

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
zhenhua fan
Verified
No
WPVDB ID
783e5d94-2930-4715-afeb-5b997363d361

Timeline

Publicly Published
2024-10-03 (about 1 year ago)
Added
2024-10-03 (about 1 year ago)
Last Updated
2024-10-04 (about 1 year ago)

Other

Published
Title
Published
2022-05-09
Title
Amazon Link <= 3.2.10 - Admin+ Stored Cross-Site Scripting
Published
2022-08-12
Title
Alpine PhotoTile for Pinterest <= 1.3.1 - Admin+ Stored Cross-Site Scripting
Published
2020-08-03
Title
Newsletter < 6.8.2 - Authenticated Cross-Site Scripting (XSS)
Published
2025-01-16
Title
Mancx AskMe Widget <= 0.3 - Reflected Cross-Site Scripting
Published
2023-09-25
Title
iframe < 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'iframe' Shortcode