WP Time Slots Booking Form < 1.1.63 – Admin+ Stored Cross-Site Scripting | CVE 2022-0389

Description

The plugin does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create a new calendar with the following Name: <script>alert('XSS')</script>

The XSS will be triggered when editing or publishing the calendar

Affects Plugins

wp-time-slots-booking-form

Fixed in 1.1.63

References

CVE

CVE-2022-0389

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Rubina Shaikh

Submitter

Rubina Shaikh

Submitter website

https://www.linkedin.com/in/rubina-shaikh-70b852166/

Verified

Yes

WPVDB ID

788ead78-9aa2-49a3-b191-12114be8270b

Timeline

Publicly Published

2022-02-02 (about 2 years ago)

Added

2022-02-02 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2021-08-30

Title

CoolClock < 4.3.5 - Contributor+ Stored Cross-Site Scripting

Published

2023-09-08

Title

Staff / Employee Business Directory for Active Directory < 1.2.3 - Improper escaping of LDAP entries

Published

2011-09-27

Title

Trending < 0.2 - XSS

Published

2024-03-21

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.8.5 - Contributor+ Stored XSS

Published

2015-07-28

Title

Flickr Justified Gallery < 3.4.0 - Reflected Cross-Site Scripting (XSS)