Lucene search

WPScanCVE-2024-7129

HistorySep 13, 2024 - 6:15 a.m.

CVE-2024-7129

2024-09-1306:15:15

WPScan

web.nvd.nist.gov

wordpress

twig template injection

remote code execution

admins

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins

Affected configurations

Nvd

Vulners

Vulnrichment

Node

nsquasimply_schedule_appointmentsRange<1.6.7.43wordpress

VendorProductVersionCPE
nsquasimply_schedule_appointments*cpe:2.3:a:nsqua:simply_schedule_appointments:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
nsqua	simply_schedule_appointments	*	cpe:2.3:a:nsqua:simply_schedule_appointments::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "1.6.7.43"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Related for CVE-2024-7129