Advanced Booking Calendar < 1.6.8 – Authenticated Reflected Cross-Site Scripting (XSS) | CVE 2021-24232 | Plugin Vulnerabilities

Description

The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue

Proof of Concept

https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.php#L550

/wp-admin/admin.php?page=advanced-booking-calendar-show-settings&setting=licenseKeyError&message=<script>alert(123)</script>

Affects Plugins

advanced-booking-calendar

Fixed in 1.6.8

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2504998/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

iohex

Submitter

iohex

Verified

Yes

WPVDB ID

f06629b5-8b15-48eb-a7a7-78b693e06b71

Timeline

Publicly Published

2021-03-30 (about 4 years ago)

Added

2021-03-30 (about 4 years ago)

Last Updated

2021-03-31 (about 4 years ago)

Other

Published

Title

Published

2023-10-23

Title

LiteSpeed Cache < 5.7 - Contributor+ Stored XSS

Published

2014-08-01

Title

intouch 2.0 - intouch.js.php intouch_failure Parameter Reflected XSS

Published

2025-09-26

Title

Google+ Comments <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-07-11

Title

SKT Skill Bar < 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-07-02

Title

Dmca Watermarker < 1.1 - XSS