WordPress Plugin Vulnerabilities

Booking calendar, Appointment Booking System < 3.2.4 - Editor+ Stored XSS

Description

The plugin does not escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
booking-calendar
Fixed in 3.2.4

References

CVE
CVE-2022-47438

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
ca18d7d8-920c-4c22-8c1f-e1cd915ab70a

Timeline

Publicly Published
2023-01-27 (about 3 years ago)
Added
2023-03-30 (about 3 years ago)
Last Updated
2023-03-30 (about 3 years ago)

Other

Published
Title
Published
2022-04-13
Title
Admin Menu Editor <= 1.0.4 - Reflected Cross-Site Scripting
Published
2025-09-22
Title
Dialogity Free Live Chat < 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2015-08-25
Title
OnePress Social Locker < 4.2.5 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2025-01-10
Title
Zalomení <= 1.5 - Admin+ Stored XSS
Published
2025-09-22
Title
Penci Portfolio < 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting