Availability Calendar < 1.2.2 – Authenticated Stored Cross-Site Scripting | CVE 2021-24604 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

Proof of Concept

Create a new category via the plugin (/wp-admin/admin.php?page=owaccategory), add the following payload in the Name field: <script>alert(/XSS/)</script>, then view a page/post where the  associated Category Shortcode is embed

Affects Plugins

availability-calendar

Fixed in 1.2.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xiahao@webray.com.cn inc

Submitter

xiahao@webray.com.cn inc

Submitter twitter

lAmn9V6MU9Dfb8p

Verified

Yes

WPVDB ID

d084c5b1-45f1-4e7e-b3e9-3c98ae4bce9c

Timeline

Publicly Published

2021-08-03 (about 4 years ago)

Added

2021-08-19 (about 4 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2022-01-06

Title

Ultimate Reviews < 3.0.16 - Admin+ Stored Cross-Site Scripting

Published

2025-04-01

Title

Webling <= 3.9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-07-19

Title

Category Posts Widget (Free < 4.9.17, Pro < 4.9.13) - Admin+ Stored XSS

Published

2024-11-25

Title

Multiple Plugins from CreativeMindsSolutions - Reflected XSS

Published

2014-08-01

Title

Advanced Dewplayer - dewplayer-vinyl.swf xml Parameter XML File H&ling XSS