AttackerKBAKB:B34EE174-9EBD-4A82-852A-975F4FC467A6CVE-2020-9371
0.004 Low
EPSS
Percentile
73.3%
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.
Recent assessments:
kevthehermit at March 05, 2020 10:29am UTC reported:
This plugin is currently listed as having over 5000 active installations and a little over 3 hundred thousand downloads.
The ability to add an XSS payload is only available when creating or updating calendars which is an admin level feature, this means it is unlikely to be valuable to an attacker as if they already have this level of access there are more damaging attacks that can be performed.
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 5
References
packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9371
drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
wordpress.org/plugins/appointment-booking-calendar#developers
wpvulndb.com/vulnerabilities/10110
www.hotdreamweaver.com/support/view.php?id=815925
Related
