CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8663 – WP Simple Booking Calendar <= 2.0.10 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8663
The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://www.wordfence.com/threat-intel/vulnerabilities/id/cad4300f-02f9-4c9f-9bb3-1c9da8b78ac9?source=cve https://plugins.trac.wordpress.org/browser/wp-simple-booking-calendar/tags/2.0.10/includes/base/admin/calendar/views/view-edit-calendar.php#L155 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3150474%40wp-simple-booking-calendar&new=3150474%40wp-simple-booking-calendar&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/browser/wp-simple-booking-calendar/tags/2. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51525 – WordPress WP Simple Booking Calendar plugin <= 2.0.8.4 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2023-51525
Cross-Site Request Forgery (CSRF) vulnerability in Veribo, Roland Murg WP Simple Booking Calendar.This issue affects WP Simple Booking Calendar: from n/a through 2.0.8.4. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Veribo, Roland Murg WP Simple Booking Calendar. Este problema afecta a WP Simple Booking Calendar: desde n/a hasta 2.0.8.4. The WP Simple Booking Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.8.4. This is due to missing or incorrect nonce validation on the wpsbc_refresh_calendar_editor function. • https://patchstack.com/database/vulnerability/wp-simple-booking-calendar/wordpress-wp-simple-booking-calendar-plugin-2-0-8-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24726 – WP Simple Booking Calendar <= 2.0.6 (before 07/12/2021) - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24726
The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue El plugin WP Simple Booking Calendar de WordPress versiones anteriores a 2.0.6, no escapaba, comprobaba o saneaba el parámetro orderby en su acción Search Calendars, antes de usarlo en una sentencia SQL, conllevando a un problema de inyección SQL autenticada The WP Simple Booking Calendar WordPress plugin before 2.0.7 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue • https://wpscan.com/vulnerability/f85b6033-d7c1-45b7-b3b0-8967f7373bb8 https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29176 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •