logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The plugin does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.

Proof of Concept

When booking an appointment, either as unauthenticated or any authenticated user, put the following payload in the First Name field: test" onfocus=alert('XSS')

The payload will be triggered when an admin will access the appointment via the 'Calendar' page


Edit (WPScanTeam): Payload w/o user interaction other than accessing the calendar page: " style="animation-name:rotation" onanimationstart="alert(/XSS/)//

Affects Plugins

salon-booking-system

Fixed in version 6.3.1

References

CVE

CVE-2021-24429

URL

https://plugins.trac.wordpress.org/changeset/2550306/salon-booking-system

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Phu Tran from techlabcorp.com

Submitter

Phu Tran

Verified

Yes

WPVDB ID

e922b788-7da5-43b4-9b05-839c8610252a

Timeline

Publicly Published

2021-06-21 (about 3 months ago)

Added

2021-06-21 (about 3 months ago)

Last Updated

2021-06-25 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin