Описание
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- Release NotesThird Party Advisory
- Permissions Required
- ExploitThird Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- Release NotesThird Party Advisory
- Permissions Required
Уязвимые конфигурации
Конфигурация 1Версия до 1.3.35 (исключая)
cpe:2.3:a:codepeople:appointment_booking_calendar:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 95%
0.1934
Средний
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-1236
Связанные уязвимости
github
больше 3 лет назад
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
EPSS
Процентиль: 95%
0.1934
Средний
7.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-1236