7 results (0.021 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying. The Appointment Booking Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.82. This is due to missing or incorrect nonce validation on the cpabc_appointments.php page. This makes it possible for unauthenticated attackers to perform actions like adding bookings without paying via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/eb383600-0cff-4f24-8127-1fb118f0565a • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. Vulnerabilidad de autorización faltante en el complemento Appointment Booking Calendar en WordPress en versiones &lt;= 1.3.69. The Appointment Booking Calendar plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the cpabcal_feedback() function in versions up to, and including, 1.3.69. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to submit plugin feedback. This can also be exploited via CSRF due to missing nonce validation. • https://patchstack.com/database/vulnerability/appointment-booking-calendar/wordpress-appointment-booking-calendar-plugin-1-3-69-missing-authorization-vulnerability?_s_id=cve • CWE-862: Missing Authorization •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3

Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML. Una vulnerabilidad de tipo XSS almacenado, se presenta en el plugin Appointment Booking Calendar versiones anteriores a 1.3.35 para WordPress. En el archivo cpabc_appointments.php, la entrada Calendar Name podría permitir a atacantes inyectar JavaScript o HTML arbitrario. WordPress Appointment Booking Calendar plugin version 1.3.34 suffers from a CSV injection vulnerability. • https://www.exploit-db.com/exploits/48204 http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 https://wordpress.org/plugins/appointment-booking-calendar/#developers https://wpvulndb.com/vulnerabilities/10110 https://www.hotdreamweaver.com/support/view.php?id=815925 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 3

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection. El plugin Appointment Booking Calendar versiones anteriores a 1.3.35 para WordPress, permite que la entrada de usuario sea cualquier fórmula (en campos tales como Description o Name) en cualquier formulario de reserva, que luego podría ser exportado por medio de la pestaña Bookings list en /wp-admin/admin.php?page=cpabc_appointments.php. • https://www.exploit-db.com/exploits/48204 http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 https://wordpress.org/plugins/appointment-booking-calendar/#developers https://www.hotdreamweaver.com/support/view.php?id=815925 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than CVE-2015-7319. El plugin appointment-booking-calendar versiones anteriores a 1.1.24 para WordPress, presenta una inyección SQL, una vulnerabilidad diferente de CVE-2015-7319. • https://wordpress.org/plugins/appointment-booking-calendar/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •