Stored Cross-Site Scripting vulnerability in Salon booking system WordPress plugin

CVE-2024-2102

Currently unrated 🤨

Key Information

Vendor: WordPress
Status: Salon Booking System
Vendor: CVE Published:; 17 April 2024

Summary

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.

Affected Version(s)

Salon booking system < 9.6.3

Timeline

Vulnerability published.
Apr 17, 2024
Vulnerability Reserved.
Mar 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

WPScan