Japan Vulnerability NotesJVN:96165722JVN#96165722: WordPress plugin "WP Booking System" vulnerable to cross-site scripting
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
52.5%
The WordPress plugin “WP Booking System” provided by WP Booking System contains a stored cross-site scripting vulnerability (CWE-79).
Impact
An arbitrary script may be executed on the web browser of a user who logged-in as an administrator.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer states:
> The Free (1.4 and higher) and the Premium version (3.7 and higher) are patched. Update the plugin or contact the plugin developer at [email protected] if you have any questions.
Products Affected
- WP Booking System Free version prior to version 1.4
- WP Booking System Premium version prior to version 3.7
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
52.5%