Amelia Booking <= 1.0.46 Stored Cross Site Scripting
CVE-2022-0834

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Booking For Appointments And Events Calendar – Amelia
Vendor: CVE Published:; 23 March 2022

What is CVE-2022-0834?

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into. This affects versions up to and including 1.0.46.

Affected Version(s)

Booking for Appointments and Events Calendar – Amelia * <= 1.0.46

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.wordfence.com/vulnerability-advisories/#CVE-2...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2022
Vulnerability Reserved
Mar 2, 2022

Credit

Vinay Kumar