Appointment Hour Booking < 1.3.56 – Admin+ Stored Cross-Site Scripting | CVE 2022-1710 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Proof of Concept

Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of a field:
v < 1.3.55: "><img src=x onerror=alert(/XSS/)><"
v < 1.3.56: backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//, frontend: " style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)// 

The XSS will be triggered in the post/page where the Calendar is embed, as well when accessing the field settings when editing the calendar

Affects Plugins

appointment-hour-booking

Fixed in 1.3.56

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Bruno Halltari

Submitter

BrunoModificato

Submitter twitter

BrunoModificato

Verified

Yes

WPVDB ID

ed162ccc-88e6-41e8-b24d-1b9f77a038b6

Timeline

Publicly Published

2022-05-23 (about 3 years ago)

Added

2022-05-23 (about 3 years ago)

Last Updated

2023-02-18 (about 2 years ago)

Other

Published

Title

Published

2022-11-23

Title

ARForms Form Builder < 1.5.7 - Unauthenticated Stored XSS

Published

2018-06-20

Title

Open Graph for Facebook, Google+ and Twitter Card Tags <= 2.2.4 - Authenticated Reflected XSS

Published

2024-03-28

Title

Lordicon Animated Icons <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-04-17

Title

Post Shortcode <= 2.0.9 - Contributor+ Stored Cross-Site Scripting

Published

2014-08-01

Title

FuneralPress 1.1.6 - Stored XSS