CVE-2024-2101

2024-04-1705:15:48

WPScan

web.nvd.nist.gov

wordpress plugin

stored cross-site scripting

mobile phone field

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the ‘Mobile Phone’ field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the ‘Customers’ page and the malicious script is executed in the admin context.

Affected configurations

Vulners

Vulnrichment

Node

salon_booking_systemsalon_booking_systemRange<9.6.3wordpress

VendorProductVersionCPE
salon_booking_systemsalon_booking_system*cpe:2.3:a:salon_booking_system:salon_booking_system:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
salon_booking_system	salon_booking_system	*	cpe:2.3:a:salon_booking_system:salon_booking_system::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Salon booking system",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "9.6.3"
      }
    ],
    "defaultStatus": "unaffected"
  }
]