CVE-2021-24225

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.2%

top 62.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Advanced Booking Calendar Elbtide Advanced Booking Calendar

Timeline

PublishedApr 12

Latest updateMay 24

Description

The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/advanced_booking_calendar1.6.7 — 1.6.7

▶NVDelbtide/advanced_booking_calendar< 1.6.7

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-2hmj-h5rh-f294: The Advanced Booking Calendar WordPress plugin before 1↗2022-05-24

▶

CVEList

Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)↗2021-04-12

▶