CSV Injection Vulnerability in Appointment Hour Booking Plugin for WordPress
CVE-2022-4034

5.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Appointment Hour Booking – WordPress Booking Plugin
Vendor: CVE Published:; 29 November 2022

Summary

The Appointment Hour Booking Plugin for WordPress is susceptible to CSV Injection, allowing unauthenticated attackers to insert untrusted input during booking creation. This compromised content can be exported as a CSV file, which may lead to code execution if the file is downloaded and executed in a vulnerable environment. Users are advised to update their plugin to the latest version to mitigate these risks.

Affected Version(s)

Appointment Hour Booking – WordPress Booking Plugin * <= 1.3.72

References

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://www.wordfence.com/vulnerability-advisories-contin...

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 29, 2022
Vulnerability Reserved
Nov 16, 2022

Credit

Luca Greeb

Andreas Krüger