Advanced Booking Calendar < 1.6.8 - Authenticated Reflected Cross-Site Scripting (XSS)

2021-03-30T00:00:00
ID WPVDB-ID:F06629B5-8B15-48EB-A7A7-78B693E06B71
Type wpvulndb
Reporter iohex
Modified 2021-03-31T05:00:39

Description

The plugin does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue

PoC

https://plugins.trac.wordpress.org/browser/advanced-booking-calendar/tags/1.6.7/backend/settings.php#L550 /wp-admin/admin.php?page=advanced-booking-calendar-show-settings&setting;=licenseKeyError&message;=