Online Hotel Booking System Pro <= 1.1 – Unauthenticated Stored Cross-Site Scripting (XSS) | CVE 2020-15536 | Plugin Vulnerabilities

Description

An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details.. The XSS payload is then executed when an authenticated administrator user views the booking on the Customer-booking page.

Proof of Concept

Inject XSS via most fields in the booking form, which will then be executed on the Customer-booking admin page, when viewed by an authenticated administrator.

Affects Plugins

No known fix

References

CVE

URL

https://packetstormsecurity.com/files/#157116/

URL

https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

@ThelastVvV

Verified

No

WPVDB ID

eba047cc-034c-4b21-86cd-6e8e1a4f6aa4

Timeline

Publicly Published

2020-04-04 (about 6 years ago)

Added

2020-04-09 (about 6 years ago)

Last Updated

2020-07-06 (about 5 years ago)

Other

Published

Title

Published

2024-12-06

Title

Blaze Online eParcel for WooCommerce <= 1.3.3 - Reflected Cross-Site Scripting

Published

2023-05-16

Title

WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery

Published

2025-04-04

Title

LA-Studio Element Kit for Elementor < 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-03-03

Title

Thecs <= 1.4.7 - Reflected Cross-Site Scripting

Published

2023-04-18

Title

Semalt Blocker <= 1.1.3 - Admin+ Stored XSS