Stored Cross-Site Scripting Vulnerability in Salon Booking System Plugin for WordPress
CVE-2024-9882
What is CVE-2024-9882?
The Salon Booking System plugin for WordPress prior to version 1.9.4 fails to properly sanitize and escape certain settings, exposing environments to potential stored cross-site scripting (XSS) attacks. This vulnerability allows users with high privileges, such as administrators, to execute harmful scripts even in configurations where unfiltered HTML input is restricted. Particularly concerning is its impact on multisite setups where administrative controls are crucial for maintaining security integrity.
Affected Version(s)
Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses 0 < 1.9.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved