CVE-2022-43482 – WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability
https://notcve.org/view.php?id=CVE-2022-43482
Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. Vulnerabilidad de autorización faltante en el complemento Appointment Booking Calendar en WordPress en versiones <= 1.3.69. The Appointment Booking Calendar plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the cpabcal_feedback() function in versions up to, and including, 1.3.69. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to submit plugin feedback. This can also be exploited via CSRF due to missing nonce validation. • https://patchstack.com/database/vulnerability/appointment-booking-calendar/wordpress-appointment-booking-calendar-plugin-1-3-69-missing-authorization-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2020-9371 – Appointment Booking Calendar <= 1.3.34 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-9371
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML. Una vulnerabilidad de tipo XSS almacenado, se presenta en el plugin Appointment Booking Calendar versiones anteriores a 1.3.35 para WordPress. En el archivo cpabc_appointments.php, la entrada Calendar Name podría permitir a atacantes inyectar JavaScript o HTML arbitrario. WordPress Appointment Booking Calendar plugin version 1.3.34 suffers from a CSV injection vulnerability. • https://www.exploit-db.com/exploits/48204 http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 https://wordpress.org/plugins/appointment-booking-calendar/#developers https://wpvulndb.com/vulnerabilities/10110 https://www.hotdreamweaver.com/support/view.php?id=815925 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-9372 – Appointment Booking Calendar <= 1.3.34 - CSV Injection
https://notcve.org/view.php?id=CVE-2020-9372
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection. El plugin Appointment Booking Calendar versiones anteriores a 1.3.35 para WordPress, permite que la entrada de usuario sea cualquier fórmula (en campos tales como Description o Name) en cualquier formulario de reserva, que luego podría ser exportado por medio de la pestaña Bookings list en /wp-admin/admin.php?page=cpabc_appointments.php. • https://www.exploit-db.com/exploits/48204 http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 https://wordpress.org/plugins/appointment-booking-calendar/#developers https://www.hotdreamweaver.com/support/view.php?id=815925 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2019-14791 – Appointment Booking Calendar < 1.3.19 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14791
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter. El plugin Appointment Booking Calendar versión 1.3.18 para , permite un ataque de tipo XSS por medio del parámetro editionarea del archivo wp-admin/admin-post.php. • https://wordpress.org/plugins/appointment-booking-calendar/#developers https://wpvulndb.com/vulnerabilities/9426 https://www.pluginvulnerabilities.com/2019/07/03/hackers-look-to-be-targeting-the-wordpress-plugin-appointment-booking-calendar-which-is-yet-another-insecure-plugin-from-code-people • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10916 – Appointment Booking Calendar <= 1.1.23 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-10916
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319. El plugin appointment-booking-calendar versiones anteriores a 1.1.24 para WordPress, presenta una inyección SQL, una vulnerabilidad diferente de CVE-2015-7319. • https://wordpress.org/plugins/appointment-booking-calendar/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •