Stored Cross-Site Scripting vulnerability in Salon booking system WordPress plugin

CVE-2024-2101

Currently unrated 🤨

Key Information

Vendor: WordPress
Status: Salon Booking System
Vendor: CVE Published:; 17 April 2024

Summary

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.

Affected Version(s)

Salon booking system < 9.6.3

Timeline

Vulnerability published.
Apr 17, 2024
Vulnerability Reserved.
Mar 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Priyanka Pande

WPScan