Reflected Cross-Site Scripting Vulnerability in Appointments and Events Plugin by WordPress
CVE-2024-12737

Currently unrated

Key Information:

Vendor: WordPress
Status: WP Base Booking Of Appointments, Services And Events
Vendor: CVE Published:; 26 February 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WP BASE Booking of Appointments, Services and Events plugin for WordPress is susceptible to a reflected cross-site scripting vulnerability, which occurs due to inadequate sanitization and escaping of parameters before they are displayed on web pages. This flaw primarily affects high privilege users, including administrators, potentially allowing attackers to inject malicious scripts that get executed in the users' browsers during page interactions. Users are urged to update to the latest version to mitigate the risk of exploitation.

Affected Version(s)

WP BASE Booking of Appointments, Services and Events 0 < 5.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12737 - Proof of Concept

References

https://wpscan.com/vulnerability/997eb9f6-80e1-4bc5-be72-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Feb 26, 2025
👾
Exploit known to exist
Feb 26, 2025
Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Dec 17, 2024

Credit

Hassan Khan Yusufzai - Splint3r7

WPScan