CVE-2021-24429
Last modified
CVE-2021-24429 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.. EPSS estimates a 1.24% chance of exploitation in the next 30 days.
Description
The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Salonbookingsystem | Salon Booking System | < 6.3.1 |
References
- https://wpscan.com/vulnerability/e922b788-7da5-43b4-9b05-839c8610252aExploit, Third Party Advisory
- https://wpscan.com/vulnerability/e922b788-7da5-43b4-9b05-839c8610252aExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24429?
How severe is CVE-2021-24429?
How do I fix CVE-2021-24429?
Are you affected by CVE-2021-24429?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST