CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0856 – Booking Calendar < 1.3.83 - CSRF appointment scheduling
https://notcve.org/view.php?id=CVE-2024-0856
The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying. The Appointment Booking Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.82. This is due to missing or incorrect nonce validation on the cpabc_appointments.php page. This makes it possible for unauthenticated attackers to perform actions like adding bookings without paying via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/eb383600-0cff-4f24-8127-1fb118f0565a • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43482 – WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability
https://notcve.org/view.php?id=CVE-2022-43482
Missing Authorization vulnerability in Appointment Booking Calendar plugin <= 1.3.69 on WordPress. Vulnerabilidad de autorización faltante en el complemento Appointment Booking Calendar en WordPress en versiones <= 1.3.69. The Appointment Booking Calendar plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the cpabcal_feedback() function in versions up to, and including, 1.3.69. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to submit plugin feedback. This can also be exploited via CSRF due to missing nonce validation. • https://patchstack.com/database/vulnerability/appointment-booking-calendar/wordpress-appointment-booking-calendar-plugin-1-3-69-missing-authorization-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3CVE-2020-9371 – Appointment Booking Calendar <= 1.3.34 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-9371
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML. Una vulnerabilidad de tipo XSS almacenado, se presenta en el plugin Appointment Booking Calendar versiones anteriores a 1.3.35 para WordPress. En el archivo cpabc_appointments.php, la entrada Calendar Name podría permitir a atacantes inyectar JavaScript o HTML arbitrario. WordPress Appointment Booking Calendar plugin version 1.3.34 suffers from a CSV injection vulnerability. • https://www.exploit-db.com/exploits/48204 http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 https://wordpress.org/plugins/appointment-booking-calendar/#developers https://wpvulndb.com/vulnerabilities/10110 https://www.hotdreamweaver.com/support/view.php?id=815925 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 3CVE-2020-9372 – Appointment Booking Calendar <= 1.3.34 - CSV Injection
https://notcve.org/view.php?id=CVE-2020-9372
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection. El plugin Appointment Booking Calendar versiones anteriores a 1.3.35 para WordPress, permite que la entrada de usuario sea cualquier fórmula (en campos tales como Description o Name) en cualquier formulario de reserva, que luego podría ser exportado por medio de la pestaña Bookings list en /wp-admin/admin.php?page=cpabc_appointments.php. • https://www.exploit-db.com/exploits/48204 http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9 https://wordpress.org/plugins/appointment-booking-calendar/#developers https://www.hotdreamweaver.com/support/view.php?id=815925 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14791 – Appointment Booking Calendar < 1.3.19 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14791
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea parameter. El plugin Appointment Booking Calendar versión 1.3.18 para , permite un ataque de tipo XSS por medio del parámetro editionarea del archivo wp-admin/admin-post.php. • https://wordpress.org/plugins/appointment-booking-calendar/#developers https://wpvulndb.com/vulnerabilities/9426 https://www.pluginvulnerabilities.com/2019/07/03/hackers-look-to-be-targeting-the-wordpress-plugin-appointment-booking-calendar-which-is-yet-another-insecure-plugin-from-code-people • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •