The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the ‘Mobile Phone’ field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the ‘Customers’ page and the malicious script is executed in the admin context.
[
{
"vendor": "Unknown",
"product": "Salon booking system",
"versions": [
{
"status": "affected",
"versionType": "semver",
"version": "0",
"lessThan": "9.6.3"
}
],
"defaultStatus": "unaffected"
}
]