BA Book Everything < 1.6.9 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-32598 | Plugin Vulnerabilities

Description

The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 1.6.9 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

ba-book-everything

Fixed in 1.6.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ad374338-2bf4-4322-be5e-b4fe07acf80d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

emad

Verified

No

WPVDB ID

c02cbe50-ebe9-4e96-be3d-116b0b18b1a4

Timeline

Publicly Published

2024-04-16 (about 2 years ago)

Added

2024-04-23 (about 2 years ago)

Last Updated

2024-04-23 (about 2 years ago)

Other

Published

Title

Published

2025-01-16

Title

Magic Google Maps <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-13

Title

Otter Blocks < 2.6.5 - Contributor+ Stored Cross-Site Scripting

Published

2015-04-16

Title

Content Slide <= 1.4.2 - CSRF & Stored XSS

Published

2025-10-06

Title

Featured Image from URL (FIFU) < 5.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image Custom Fields

Published

2017-06-01

Title

WP Live Chat Support < 7.0.07 - Cross-Site Scripting (XSS)