WordPress Plugin Vulnerabilities

VikBooking < 1.5.9 - Reflected Cross-Site Scripting

Description

The plugin does not escape the current URL before putting it back in a JavaScript context, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
vikbooking
Fixed in 1.5.9

References

CVE
CVE-2022-1528

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Bruno Halltari
Submitter
BrunoModificato
Submitter twitter
BrunoModificato
Verified
Yes
WPVDB ID
d1e59894-382f-4151-8c4c-5608f3d8ac1f

Timeline

Publicly Published
2022-05-03 (about 3 years ago)
Added
2022-05-03 (about 3 years ago)
Last Updated
2022-05-04 (about 3 years ago)

Other

Published
Title
Published
2023-12-26
Title
weForms – Easy Drag & Drop Contact Form Builder For WordPress < 1.6.18 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2024-08-09
Title
MDx < 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mdx_list_item Shortcode
Published
2020-03-27
Title
CM Pop-Up banners < 1.4.11 - Authenticated Stored XSS
Published
2024-11-08
Title
Luzuk Slider <= 0.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-04-18
Title
TaxoPress < 3.6.5 - Editor+ Stored XSS