WP Time Slots Booking Form < 1.1.63 – Admin+ Stored Cross-Site Scripting | CVE 2022-0389

Description

The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create a new calendar with the following Name: <script>alert('XSS')</script>

The XSS will be triggered when editing or publishing the calendar

Affects Plugins

wp-time-slots-booking-form

Fixed in 1.1.63

References

CVE

CVE-2022-0389

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Rubina Shaikh

Submitter

Rubina Shaikh

Submitter website

https://www.linkedin.com/in/rubina-shaikh-70b852166/

Verified

Yes

WPVDB ID

788ead78-9aa2-49a3-b191-12114be8270b

Timeline

Publicly Published

2022-02-02 (about 3 years ago)

Added

2022-02-02 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2025-05-30

Title

Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder < 5.11.3 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Published

2018-11-14

Title

Easy Custom Auto Excerpt <= 2.4.6 - XSS

Published

2025-03-12

Title

Picture Gallery < 1.6.4 - Unauthenticated Stored XSS

Published

2021-06-28

Title

Yada Wiki < 3.4.1 - Contributor+ Stored XSS

Published

2024-05-07

Title

HT Mega – Absolute Addons For Elementor < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Justify