CVE-2023-23895 – WP Time Slots Booking Form <= 1.1.82 - Improper Authorization Checks
https://notcve.org/view.php?id=CVE-2023-23895
The WP Time Slots Booking Form plugin for WordPress is vulnerable to authorization bypass due to improper capability checks throughout the ~/cp-admin-int-add-booking.inc.php file in versions up to, and including, 1.1.83. This makes it possible for authenticated attackers with editor-level privileges to modify some of the plugin's settings. • CWE-285: Improper Authorization •
CVE-2022-0389 – WP Time Slots Booking Form < 1.1.63 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0389
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin WP Time Slots Booking Form de WordPress versiones anteriores a 1.1.63, no sanea ni escapa de los nombres de los calendarios, permitiendo a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/788ead78-9aa2-49a3-b191-12114be8270b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •