Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 – Authenticated Stored XSS | CVE 2021-24712 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize values used when creating new calendars.

Proof of Concept

* Open the Appointment Hour Booking Tab.
* Enter XSS payload  like "><script>alert(document.location)</script> in new calendar name field. and click on "add new" button.
* Go back to the Appointment Hour Booking Tab and select "Publish" for any calendar.
* The XSS payload will trigger on this page.

Affects Plugins

appointment-hour-booking

Fixed in 1.3.17

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

Verified

Yes

WPVDB ID

e677e51b-0d3f-44a5-9fcd-c159786b9926

Timeline

Publicly Published

2021-09-10 (about 4 years ago)

Added

2021-09-10 (about 4 years ago)

Last Updated

2022-04-24 (about 3 years ago)

Other

Published

Title

Published

2023-06-12

Title

Ninja Forms Google Sheet Connector < 1.2.7 - Reflected XSS

Published

2024-10-08

Title

Contact Form 7 – PayPal & Stripe Add-on < 2.3.1 - Reflected Cross-Site Scripting

Published

2024-03-12

Title

Sky Addons for Elementor < 2.5.0 - Authenticated(Contributor+) Stored Cross-site scripting via Wrapper Link URL

Published

2025-10-28

Title

LiteSpeed Cache < 7.6 - Reflected XSS

Published

2024-01-31

Title

Advanced iFrame < 2024.0 - Contributor+ Stored XSS