WordPress Plugin Vulnerabilities

Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Proof of Concept

Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of a field:
v < 1.3.55: "><img src=x onerror=alert(/XSS/)><"
v < 1.3.56: backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//, frontend: " style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)// 

The XSS will be triggered in the post/page where the Calendar is embed, as well when accessing the field settings when editing the calendar

Affects Plugins

Plugin icon
appointment-hour-booking
Fixed in 1.3.56

References

CVE
CVE-2022-1710

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Bruno Halltari
Submitter
BrunoModificato
Submitter twitter
BrunoModificato
Verified
Yes
WPVDB ID
ed162ccc-88e6-41e8-b24d-1b9f77a038b6

Timeline

Publicly Published
2022-05-23 (about 1 years ago)
Added
2022-05-23 (about 1 years ago)
Last Updated
2023-02-18 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Thank You Counter Button <= 1.8.2 - Cross-Site Scripting (XSS)
Published
2020-08-17
Title
Colorbox Lightbox < 1.1.5 - Contributor+ Stored Cross-Site Scripting
Published
2023-05-09
Title
Easy Hide Login < 1.0.8 - Admin+ Stored XSS
Published
2021-03-26
Title
Patreon WordPress < 1.7.2 - Reflected XSS on Login Form
Published
2023-10-02
Title
Popup contact form <= 7.1 - Admin+ Stored XSS