Stored Cross-Site Scripting Vulnerability in WP Booking Calendar Plugin
CVE-2024-10893

Currently unrated

Key Information:

Vendor: Wordpress
Status: WP Booking Calendar
Vendor: CVE Published:; 3 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-10893?

The WP Booking Calendar WordPress plugin, prior to version 10.6.5, is susceptible to a stored cross-site scripting (XSS) vulnerability. This issue arises from the failure to properly sanitize and escape certain settings, allowing high privilege users, such as administrators, to execute XSS attacks. Even in configurations where the unfiltered_html capability is restricted (such as multisite setups), the vulnerability can still be exploited, posing a significant security risk for WordPress sites using this plugin.

Affected Version(s)

WP Booking Calendar 0 < 10.6.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10893 - Proof of Concept

References

https://wpscan.com/vulnerability/a230a552-3fda-4145-810f-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 3, 2024
👾
Exploit known to exist
Dec 3, 2024
Vulnerability published
Dec 3, 2024
Vulnerability Reserved
Nov 5, 2024

Credit

Dmitrii Ignatyev

WPScan

Wordpress