WordPress Plugin Vulnerabilities

Appointment and Event Booking Calendar for WordPress < 1.0.76 - Reflected XSS

Description

The plugin does not sanitise and escape the code parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affects Plugins

Plugin icon
ameliabooking
Fixed in 1.0.76

References

CVE
CVE-2023-27918
CVE
CVE-2023-29427
URL
https://jvn.jp/en/jp/JVN00971105/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Gen Sato of Mitsui Bussan Secure Directions, Inc, minhtuanact
Verified
Yes
WPVDB ID
7ce4a814-4028-45b8-b4c7-2ff76f537eb2

Timeline

Publicly Published
2023-04-06 (about 2 years ago)
Added
2023-04-24 (about 2 years ago)
Last Updated
2023-04-24 (about 2 years ago)

Other

Published
Title
Published
2024-12-13
Title
Eveeno < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-01-12
Title
WP SMS < 6.5.2 - Contributor+ Stored Cross-Site Scripting
Published
2014-08-01
Title
SimpleMail 1.0.6 - Stored XSS
Published
2024-11-08
Title
Wezido <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-03
Title
WP Multi Store Locator < 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting