The Salon Booking System plugin for WordPress is a widely-used tool that allows businesses to manage appointments and bookings online. However, a serious vulnerability, CVE-2024-9882, has been discovered that enables attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious JavaScript code into the plugin’s service settings, leading to potential account takeover and the creation of a backdoor.
| CVE | CVE-2024-9882 |
| Plugin | Salon Booking System < 10.9.4 |
| Critical | High |
| All Time | 621 813 |
| Active installations | 10 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9882 https://wpscan.com/vulnerability/7f7667fd-6ac6-4c90-aaf0-c7862bd8e9bd/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| September 14, 2024 | Plugin testing and vulnerability detection in the Salon Booking System have been completed |
| September 14, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-9882 |
Discovery of the Vulnerability
During a routine security audit of the Salon Booking System plugin, it was identified that the plugin fails to properly sanitize user inputs in the “Title” field of the service settings. This oversight allows an attacker to embed malicious JavaScript code in this field. The vulnerability is triggered when an admin or editor views the service settings or interacts with the plugin’s features, executing the malicious code. Additionally, the “Limit reservations to the following” option under Assistants also exposes the plugin to exploitation when combined with unfiltered HTML permissions granted to users with editor roles.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are common in web applications, including WordPress plugins, and occur when malicious scripts are injected into web pages viewed by other users. XSS can lead to a variety of attacks, such as session hijacking, defacement of web pages, and account takeover. A well-known real-world example of XSS exploitation in WordPress occurred with the WPForms plugin, where improperly sanitized form fields allowed attackers to execute malicious JavaScript. The Salon Booking System plugin vulnerability shares similar characteristics, where an attacker with the right privileges (editor or admin) can exploit unsanitized user input to trigger malicious actions on the site.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-9882 is relatively straightforward. The attacker must navigate to the plugin’s service settings and insert a malicious payload, such as <img src=x onerror=alert(1)>
POC:
Go to the services of the plugin and change "Title" field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings -> Go to Assistants and click on "Limit resservations to the following" (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential impact of this vulnerability is significant. If exploited, an attacker could create a backdoor admin account, granting them full access to the WordPress site. This would allow them to manipulate booking data, steal sensitive customer information, or modify the site’s content. In a real-world scenario, an attacker could use this vulnerability to compromise the site’s integrity, causing financial or reputational damage to the business. Additionally, the attacker could use the backdoor to install malicious scripts, spread malware, or perform further attacks, making the website a vector for larger-scale exploitation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-9882, it is essential for administrators to update the Salon Booking System plugin to the latest patched version as soon as it is released. Additionally, administrators should restrict user roles with unfiltered_html capabilities, ensuring that only trusted users, such as admins, can inject JavaScript into the site. Further, all user inputs, especially in fields like the service title, should be properly sanitized to prevent XSS attacks. Implementing Content Security Policies (CSP) and conducting regular security audits of plugins can also help detect and mitigate potential vulnerabilities.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-9882, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
