UNescorted Attack on WordPress Booking Plugin Allows Arbitrary Script Execution
CVE-2024-8663

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Simple Booking Calendar
Vendor: CVE Published:; 13 September 2024

Summary

The WP Simple Booking Calendar plugin for WordPress exhibits a vulnerability related to Reflected Cross-Site Scripting (XSS). This flaw arises from the inadequate handling of parameters within the functions add_query_arg and remove_query_arg, which may be exploited to inject malicious scripts into the pages of the affected application. If a user is lured into clicking on a crafted link, these scripts can execute within their browser session, resulting in potential unauthorized actions or data exposure without the need for user authentication. This vulnerability highlights the importance of proper input sanitization and parameter escaping in web application development.

Affected Version(s)

WP Simple Booking Calendar * <= 2.0.10

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-simple-book...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 13, 2024
Vulnerability Reserved
Sep 10, 2024

Credit

Dale Mavers