The plugin does not sanitise and escape the email and general field parameters, which could allow unauthenticated users to perform iFrame injection attack
As an unauthenticated user, submit a booking and put an iFrame payload in the email/general field parameter The iFrame will be executed when a user access the injected booking page
CPE | Name | Operator | Version |
---|---|---|---|
appointment-hour-booking | lt | 1.3.73 |