Availability Calendar < 1.2.2 – Authenticated Stored Cross-Site Scripting | CVE 2021-24604 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Create a new category via the plugin (/wp-admin/admin.php?page=owaccategory), add the following payload in the Name field: <script>alert(/XSS/)</script>, then view a page/post where the  associated Category Shortcode is embed

Affects Plugins

availability-calendar

Fixed in 1.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

d084c5b1-45f1-4e7e-b3e9-3c98ae4bce9c

Timeline

Publicly Published

2021-08-03 (about 2 years ago)

Added

2021-08-19 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2023-01-06

Title

News & Blog Designer Pack < 3.3 - Contributor+ Stored XSS via Shortcode

Published

2015-04-16

Title

FooBox Image Lightbox <= 1.0.4 - Cross-Site Scripting (XSS)

Published

2016-04-04

Title

ScoreMe Theme - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2023-10-02

Title

Blocks <= 1.6.42 - Admin+ Stored XSS

Published

2023-10-24

Title

WP GoToWebinar < 14.46 - Admin+ Stored XSS