Book appointment Online < 1.39 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24614 | Plugin Vulnerabilities

Description

The plugin does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

In the admin dashboard navigate to Services > Add service and put the following payload in the Price (Service Params section): <script>alert('test')</script>

The XSS will be triggered in the Services list (/wp-admin/edit.php?post_type=services)

Affects Plugins

book-appointment-online

Fixed in 1.39

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tri Wanda Septian

Submitter

Tri Wanda Septian

Submitter website

https://twseptian.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

e8b5c609-dc67-4dce-b6bb-7d63c0c2a014

Timeline

Publicly Published

2021-08-10 (about 2 years ago)

Added

2021-08-10 (about 2 years ago)

Last Updated

2022-04-02 (about 2 years ago)

Other

Published

Title

Published

2019-06-20

Title

Import users from CSV with meta <= 1.14.1.2 - XSS

Published

2021-08-10

Title

Profile Builder < 3.5.1 - Reflected Cross-Site Scripting

Published

2023-08-14

Title

Multiple Themes - Reflected XSS

Published

2014-08-01

Title

Springboard Video Quick Publish 0.2.6 - videolist.php paged Parameter Reflected XSS

Published

2022-05-04

Title

Andrea Pernici News Sitemap for Google <= 1.0.16 - Contributor+ Stored Cross-Site Scripting