3 results (0.001 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in PINPOINT.WORLD Pinpoint Booking System allows Stored XSS.This issue affects Pinpoint Booking System: from n/a through 2.9.9.5.1. The Pinpoint Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.9.5.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/booking-system/wordpress-pinpoint-booking-system-plugin-2-9-9-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

External Control of Assumed-Immutable Web Parameter vulnerability in PINPOINT.WORLD Pinpoint Booking System allows Functionality Misuse.This issue affects Pinpoint Booking System: from n/a through 2.9.9.3.4. El control externo de la vulnerabilidad de parámetros web supuestamente inmutables en PINPOINT.WORLD Pinpoint Booking System permite el uso indebido de la funcionalidad. Este problema afecta a Pinpoint Booking System: desde n/a hasta 2.9.9.3.4. The Pinpoint Booking System plugin for WordPress is vulnerable to content spoofing in versions up to, and including, 2.9.9.3.4. This makes it possible for unauthenticated attackers to inject content that may alter the content and display of select pages. • https://patchstack.com/database/vulnerability/booking-system/wordpress-pinpoint-booking-system-plugin-2-9-9-3-4-parameter-tampering?_s_id=cve • CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-472: External Control of Assumed-Immutable Web Parameter •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 2

SQL injection vulnerability in dopbs-backend-forms.php in the Booking System (Booking Calendar) plugin before 1.3 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the booking_form_id parameter to wp-admin/admin-ajax.php. Vulnerabilidad de inyección SQL en dopbs-backend-forms.php en el plugin Booking System (Booking Calendar) anterior a 1.3 para WordPress permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro booking_form_id hacia wp-admin/admin-ajax.php. WordPress Booking System (Booking Calendar) plugin versions prior to 1.3 suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/39197 http://packetstormsecurity.com/files/126762/WordPress-Booking-System-SQL-Injection.html http://wordpress.org/plugins/booking-system/changelog http://www.securityfocus.com/archive/1/532168/100/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •