iFrame Injection Vulnerability in Appointment Hour Booking Plugin for WordPress
CVE-2022-4035

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Appointment Hour Booking – WordPress Booking Plugin
Vendor: CVE Published:; 29 November 2022

Summary

The Appointment Hour Booking plugin for WordPress suffers from an iFrame Injection vulnerability due to inadequate input sanitization and output escaping. This flaw allows unauthenticated attackers to inject malicious iFrame tags through the 'email' or general field parameters. Consequently, whenever a user accesses the booking details page, the injected iFrames will execute, potentially compromising user data and the overall security of the website.

Affected Version(s)

Appointment Hour Booking – WordPress Booking Plugin * <= 1.3.72

References

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://www.wordfence.com/vulnerability-advisories-contin...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 29, 2022
Vulnerability Reserved
Nov 16, 2022

Credit

Luca Greeb

Andreas Krüger