Reflected Cross-Site Scripting Vulnerability in Booking Package Plugin for WordPress
CVE-2024-13508

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Booking Package
Vendor: CVE Published:; 19 February 2025

What is CVE-2024-13508?

The Booking Package plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit reflected cross-site scripting flaws via the locale parameter. This vulnerability is due to inadequate input sanitization and output escaping in the plugin's processing of user inputs. Attackers can inject arbitrary web scripts into affected pages, potentially deceiving users into executing malicious actions, such as clicking on a specially crafted link, leading to unauthorized actions and data exposure.

Affected Version(s)

Booking Package * <= 1.6.72

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/booking-packag...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2025