Stored Cross-Site Scripting Vulnerability in WpRently Plugin for WooCommerce by WordPress
CVE-2024-12412

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Rental And Booking Manager For Bike, Car, Dress, Resort With WooCommerce Integration – WPrently | WordPress Plugin
Vendor: CVE Published:; 11 January 2025

Summary

The WpRently plugin for WordPress, used for managing rentals and bookings with WooCommerce integration, is susceptible to a Stored Cross-Site Scripting vulnerability. This issue arises from insufficient input sanitization and output escaping related to the 'active_tab' parameter. Attackers without authentication can exploit this vulnerability to inject arbitrary web scripts into pages, which will execute when users access these compromised pages. This can lead to unauthorized access and manipulation of user data, highlighting the urgent need for addressing this security flaw in all versions up to and including 2.2.1.

Affected Version(s)

Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin * <= 2.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/booking-and-re...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 11, 2025
Vulnerability Reserved
Dec 10, 2024

Credit

Dale Mavers