WP Booking Calendar is a widely-used WordPress plugin that enables users to manage and book appointments directly from their WordPress site. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-10893. This vulnerability allows attackers to inject malicious JavaScript code into the plugin’s “Message title” field. The flaw can be exploited by users with any role, including editors, and can lead to the creation of a backdoor through which attackers can hijack accounts and take control of the site. With over 50,000 active installations, this vulnerability represents a significant security risk.
| CVE | CVE-2024-10893 |
| Plugin | WP Booking Calendar < 10.6.5 |
| Critical | High |
| All Time | 3 811 134 |
| Active installations | 50 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10893 https://wpscan.com/vulnerability/a230a552-3fda-4145-810f-58af540107db/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 22, 2024 | Plugin testing and vulnerability detection in the WP Booking Calendar have been completed |
| October 22, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10893 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of WP Booking Calendar. It was found that the plugin improperly sanitizes input in the “Message title” field located in the plugin’s settings page (wp-admin/admin.php?page=wpbc-settings). This oversight allows users to inject JavaScript into the field, which is then stored in the WordPress database and rendered on the site without proper sanitization. The vulnerability is made worse by the fact that it can be exploited by users with any role, including those with lower privileges, such as editors. As a result, even users who do not have direct administrative access can leverage this flaw to inject malicious scripts into the site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities found in web applications, including WordPress plugins. XSS vulnerabilities allow attackers to inject malicious JavaScript code into web pages, which is then executed in the browsers of users who visit the page. This type of vulnerability can be used to steal session cookies, hijack user accounts, redirect users to malicious websites, or install backdoors for persistent access. A real-world example of an XSS vulnerability in WordPress was found in the Contact Form 7 plugin, where attackers could inject malicious scripts into form fields, leading to session hijacking and other exploits. Similarly, CVE-2024-10893 allows malicious JavaScript to be injected into the WP Booking Calendar plugin’s settings, which can be executed when interacting with the booking forms.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10893, an attacker with editor-level privileges:
POC:
You should change "Message title" field in 127.0.0.1/wordpress/wp-admin/admin.php?page=wpbc-settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings -> Add new booking and click "Send" (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-10893 are significant. A successful exploitation could allow attackers to hijack user sessions or escalate their privileges to create an admin account, giving them full control over the WordPress site. This could result in a variety of malicious actions, including stealing sensitive data, modifying booking information, or even installing malicious plugins or backdoors. In a real-world scenario, an attacker could use the backdoor admin access to alter or delete site content, steal user information, or use the site for further attacks on other systems. This vulnerability poses an especially serious risk for sites handling sensitive customer information or financial transactions, as it could lead to data breaches, financial losses, and damage to the site’s reputation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10893, administrators should update WP Booking Calendar to the latest version immediately. It is also critical to limit the unfiltered_html capability for non-admin users, particularly editors, to prevent them from injecting JavaScript into plugin settings or other fields. Additionally, all user input, especially in fields like the “Message title” field, should be properly sanitized to prevent malicious scripts from being executed. Site administrators should also consider implementing Content Security Policies (CSP) to block untrusted scripts from executing on the site, even if they are injected. Regular security audits of plugins, coupled with the use of security plugins that detect and block XSS attacks, can further help protect the site from exploitation. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10893, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
