Lucene search

WPScanVULNRICHMENT:CVE-2024-7129

HistorySep 13, 2024 - 6:00 a.m.

CVE-2024-7129 Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE

2024-09-1306:00:03

WPScan

github.com

cve-2024-7129

appointment booking calendar

template injection

rce

wordpress plugin

twig template injection

remote code execution

admin privilege

AI Score

Confidence

High

EPSS

0.001

Percentile

20.0%

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:nqquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
    ],
    "vendor": "nqquared",
    "product": "appointment_booking_calendar",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.6.7.43",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "affected"
  }
]

References

wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/