CVSS: 6.4EPSS: %CPEs: 1EXPL: 0CVE-2024-51895 – Minical Hotel Booking Plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-51895
The Minical Hotel Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-46478
https://notcve.org/view.php?id=CVE-2023-46478
An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. Un problema en minCal v.1.0.0 permite a un atacante remoto ejecutar código arbitrario a través de un script manipulado en el parámetro customer_data. • https://github.com/mr-xmen786/CVE-2023-46478 https://github.com/mr-xmen786/CVE-2023-46478/tree/main • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3307 – miniCal sql injection
https://notcve.org/view.php?id=CVE-2023-3307
A vulnerability was found in miniCal 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /booking/show_bookings/. The manipulation of the argument search_query leads to sql injection. The attack may be initiated remotely. • https://github.com/ctflearner/Vulnerability/blob/main/MINICAL/minical.md https://vuldb.com/?ctiid.231803 https://vuldb.com/?id.231803 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33408
https://notcve.org/view.php?id=CVE-2023-33408
Minical 1.0.0 is vulnerable to Cross Site Scripting (XSS). The vulnerability exists due to insufficient input validation in the application's user input handling in the security_helper.php file. • https://github.com/Thirukrishnan/CVE-2023-33408 https://github.com/minical/minical • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33409
https://notcve.org/view.php?id=CVE-2023-33409
Minical 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF) via minical/public/application/controllers/settings/company.php. • https://github.com/Thirukrishnan/CVE-2023-33409 https://github.com/minical/minical • CWE-352: Cross-Site Request Forgery (CSRF) •