CVE-2023-1129

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

CVE-2023-1126

The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks...

CVE-2023-1129

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

CVE-2023-1126

The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks...

CVE-2023-1126

The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks...

CVE-2023-1129

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

Cross site scripting

The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks...

CVE-2023-1126

CVE-2023-1126 affects the WP FEvents Book WordPress plugin (versions

CVE-2023-1126 WP FEvents Book <= 0.46 - Subscriber+ Stored XSS

The WP FEvents Book WordPress plugin through 0.46 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks...

CVE-2023-1129 WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

CVE-2023-1129

CVE-2023-1129 concerns WP FEvents Book WordPress plugin (versions &lt;= 0.46). The vulnerability arises from improper access control: bookings to be updated are not verified as belonging to the requesting user, enabling any authenticated user (subscriber level) to book, add notes, or cancel booki...

CVE-2023-1129 WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

WordPress plugin WP FEvents Book 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WordPress plugin WP FEvents Book 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerability...

PT-2023-16775 · WordPress · Wp Fevents Book

Name of the Vulnerable Software and Affected Versions: WP FEvents Book WordPress plugin versions 0.46 and earlier Description: The issue allows any authenticated user to book, add notes, or cancel bookings on behalf of other users, as the plugin does not ensure that bookings to be updated belong ...

PT-2023-16774 · WordPress · Wp Fevents Book

Name of the Vulnerable Software and Affected Versions: WP FEvents Book WordPress plugin versions 0.46 and earlier Description: The issue allows any authenticated users, such as subscribers, to perform Cross-Site Scripting attacks due to the plugin not sanitizing and escaping some parameters...

WordPress WP FEvents Book Plugin <= 0.46 is vulnerable to Cross Site Scripting (XSS)

Software WP FEvents Book Type Plugin Vulnerable versions = 0.46 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-1126 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID 345ebf3e10d0 Credits Ameen Alkurdy Required...

WordPress WP FEvents Book Plugin <= 0.46 is vulnerable to Insecure Direct Object References (IDOR)

Software WP FEvents Book Type Plugin Vulnerable versions = 0.46 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-1129 Patch priority Low CVSS severity Low 6.3 Developer Claim ownership PSID bdca07c43d3d Credits Ameen Alkurdy...

WP FEvents Book <= 0.46 - Subscriber+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks PoC 1. Create an event page using the plugin. 2. Access the page using an account with Subscriber role. 3. In the 'User notes' section,...

WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR

The plugin does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users. PoC 1. Book or cancel booking an event using an authenticated user. 2. Intercept the request using an HTTP...