CVE-2024-2101

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.7MEDIUM
EPSS
0.7%
top 28.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Salon Booking SystemSalonbookingsystem Salon Booking System
Timeline
PublishedApr 17

Description

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/salon_booking_system< 9.6.3

🔴Vulnerability Details

2
GHSA
GHSA-4xpx-694q-f2wv: The Salon booking system WordPress plugin before 92024-04-17
CVEList
WordPress Plugin Salon Booking System < 9.6.3 - Unauthenticated Stored Cross-Site Scripting (XSS)2024-04-17
CVE-2024-2101 (MEDIUM CVSS 5.7) | The Salon booking system WordPress | cvebase.io