Stored Cross-Site Scripting Vulnerability in WP Booking Calendar Plugin
CVE-2024-10893
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 3 December 2024
Badges
Summary
The WP Booking Calendar WordPress plugin, prior to version 10.6.5, is susceptible to a stored cross-site scripting (XSS) vulnerability. This issue arises from the failure to properly sanitize and escape certain settings, allowing high privilege users, such as administrators, to execute XSS attacks. Even in configurations where the unfiltered_html capability is restricted (such as multisite setups), the vulnerability can still be exploited, posing a significant security risk for WordPress sites using this plugin.
Affected Version(s)
WP Booking Calendar 0 < 10.6.5
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved