The WP Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters from 'timeline_obj' in all versions up to, and including, 10.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Tue, 03 Sep 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpbookingcalendar
Wpbookingcalendar wp Booking Calendar
CPEs cpe:2.3:a:wpbookingcalendar:wp_booking_calendar:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpbookingcalendar
Wpbookingcalendar wp Booking Calendar

Fri, 30 Aug 2024 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 30 Aug 2024 09:45:00 +0000

Type Values Removed Values Added
Description The WP Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters from 'timeline_obj' in all versions up to, and including, 10.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP Booking Calendar <= 10.5 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-08-30T09:29:48.794Z

Updated: 2024-08-30T13:26:07.765Z

Reserved: 2024-08-28T17:51:30.320Z

Link: CVE-2024-8274

cve-icon Vulnrichment

Updated: 2024-08-30T13:26:03.433Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-30T10:15:08.070

Modified: 2024-09-03T14:28:06.853

Link: CVE-2024-8274

cve-icon Redhat

No data.