Reflected Cross-Site Scripting in WP BASE Booking for WordPress
CVE-2024-12469

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Base Booking Of Appointments, Services And Events
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-12469 describes a critical reflected cross-site scripting (XSS) vulnerability in the WP BASE Booking of Appointments, Services and Events plugin for WordPress. This vulnerability affects all versions up to and including 4.9.1 and arises from inadequate input sanitization and output escaping via the ‘status’ parameter. An attacker can exploit this vulnerability to insert arbitrary web scripts, which can be executed by unsuspecting users who are manipulated into clicking a specially crafted link. As this vulnerability does not require any authentication, it poses a significant risk to users, potentially leading to data theft, session hijacking, and other malicious activities.

Affected Version(s)

WP BASE Booking of Appointments, Services and Events * <= 4.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-base-booking-of-appointm...

https://plugins.trac.wordpress.org/changeset/3207855/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Dec 10, 2024

Credit

Dale Mavers