Stored Cross-Site Scripting Vulnerability in Booking Calendar Plugin for WordPress
CVE-2024-9504

7.2HIGH

Key Information:

Vendor: WordPress
Status: Booking Calendar, Appointment Booking System
Vendor: CVE Published:; 26 November 2024

What is CVE-2024-9504?

The Booking Calendar, Appointment Booking System plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting via SVG file uploads. This vulnerability arises from inadequate input sanitization and output escaping in versions up to and including 3.2.15. Unauthenticated attackers could exploit this weakness to inject malicious web scripts into web pages, which would execute when users access the compromised SVG files, potentially leading to unauthorized access and manipulation of site content.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Booking calendar, Appointment Booking System * <= 3.2.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3195800/book...

https://hacked.be/posts/CVE-2024-9504

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 26, 2024

JSON

WordPress