Booking.com Product Helper < 1.0.2 – Admin+ Stored Cross-Site Scripting | CVE 2021-24645 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

When creating a "New product shortcode" you can inject XSS payloads like <--`<img/src=` onerror=confirm``> --!> in the Product Code form field. When a page that includes that product's shortcode is viewed by a visitor, the payload will execute.

Affects Plugins

bookingcom-product-helper

Fixed in 1.0.2

References

CVE

URL

https://www.hackpertise.com/cve/21-cve-2021-24645/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

b15744de-bf56-4e84-9427-b5652d123c15

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-10-05 (about 4 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2021-07-23

Title

GTranslate < 2.8.65 - Reflected Cross-Site Scripting (XSS)

Published

2025-01-30

Title

Link Fixer <= 3.4 - Unauthenticated Stored Cross-Site Scripting

Published

2025-11-17

Title

Gutenify - Visual Site Builder Blocks & Site Templates <= 1.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Count Up block

Published

2025-01-16

Title

MyBookProgress by Stormhill Media <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via book Parameter

Published

2024-10-03

Title

Product Delivery Date for WooCommerce – Lite < 2.7.4 - Reflected Cross-Site Scripting