Availability Calendar < 1.2.2 - Authenticated Stored Cross-Site Scripting

ID WPVDB-ID:D084C5B1-45F1-4E7E-B3E9-3C98AE4BCE9C
Type wpvulndb
Reporter xiahao@webray.com.cn inc
Modified 2021-09-13T07:54:33


The plugin does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed


Create a new category via the plugin (/wp-admin/admin.php?page=owaccategory), add the following payload in the Name field: , then view a page/post where the associated Category Shortcode is embed