CVE-2022-4035

Опубликовано: 29 нояб. 2022

Источник: nvd

CVSS3: 7.2

CVSS3: 6.1

EPSS Низкий

Описание

The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page.

Ссылки

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail=
Patch
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4035
Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail=
Patch
Third Party Advisory
https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4035
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:dwbooster:appointment_hour_booking:*:*:*:*:*:wordpress:*:*

Версия до 1.3.72 (включая)

EPSS

Процентиль: 83%

0.01846

Низкий

7.2 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-5p9x-cmrm-q356

CVSS3: 6.1

github

больше 2 лет назад

EPSS

Процентиль: 83%

0.01846

Низкий

7.2 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79