Lucene search
BrunoModificatoWPEX-ID:ED162CCC-88E6-41E8-B24D-1B9F77A038B6HistoryMay 23, 2022 - 12:00 a.m.
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
2022-05-2300:00:00
BrunoModificato
96
xss
cross-site scripting
calendar
admin+
exploit
EPSS
0.001
Percentile
24.8%
The plugin does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
Create/edit a calendar, and put the following payload in the "Additional CSS Class" settings of a field:
v < 1.3.55: "><img src=x onerror=alert(/XSS/)><"
v < 1.3.56: backend: " style=animation-name:rotation onanimationstart=alert(/XSS/)//, frontend: " style=position:absolute;top:0;left:0;max-width:9999px;width:9999px;height:9999px onmouseover=alert(/XSS/)//
The XSS will be triggered in the post/page where the Calendar is embed, as well when accessing the field settings when editing the calendarRelated
patchstack
patchstack
openvas
openvas
WordPress Appointment Hour Booking Plugin < 1.3.56 XSS Vulnerability
2023-08-11 00:00:00
prion
prion
Cross site scripting
2022-06-13 13:15:00
cvelist
cvelist
cve
cve
CVE-2022-1710
2022-06-13 13:15:11
nvd
nvd
CVE-2022-1710
2022-06-13 13:15:11
wpvulndb
wpvulndb
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
2022-05-23 00:00:00