Описание
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 9.6.3 (исключая)
cpe:2.3:a:salonbookingsystem:salon_booking_system:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 71%
0.00665
Низкий
5.7 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.7
github
почти 2 года назад
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.
EPSS
Процентиль: 71%
0.00665
Низкий
5.7 Medium
CVSS3
Дефекты
CWE-79