Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 – Authenticated Stored XSS | CVE 2021-24712 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize values used when creating new calendars.

Proof of Concept

* Open the Appointment Hour Booking Tab.
* Enter XSS payload  like "><script>alert(document.location)</script> in new calendar name field. and click on "add new" button.
* Go back to the Appointment Hour Booking Tab and select "Publish" for any calendar.
* The XSS payload will trigger on this page.

Affects Plugins

appointment-hour-booking

Fixed in 1.3.17

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

Verified

Yes

WPVDB ID

e677e51b-0d3f-44a5-9fcd-c159786b9926

Timeline

Publicly Published

2021-09-10 (about 4 years ago)

Added

2021-09-10 (about 4 years ago)

Last Updated

2022-04-24 (about 3 years ago)

Other

Published

Title

Published

2021-06-22

Title

Fudousan < 5.7.2 - Authenticated Cross-Site Scripting (XSS)

Published

2024-03-06

Title

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.1.5 - Unauthenticated Stored Self-Based Cross-Site Scripting

Published

2025-12-04

Title

Thai Lottery Widget <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2025-06-19

Title

CP Polls <= 1.0.81 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2017-02-07

Title

Raygun4WP <= 1.8.0 - Unauthenticated Reflected XSS