wp-plugin : rezgo-online-booking – A3-Cross-Site Scripting (XSS)


Plugin Details


Plugin Name : rezgo-online-booking


Effected Version : 1.8 (and most probably lower version's if any)

Vulnerability : A3-Cross-Site Scripting (XSS)
Identified by : Prajal Kulkarni



Technical Details


Minimum Level of Access Required : Unauthenticated


PoC - (Proof of Concept) :




Vulnerable Parameter : tags, search_for


Trac ChangeLog : https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=848542%40rezgo-online-booking&old=748531%40rezgo-online-booking&sfp_email=&sfph_mail=#file500


Disclosure Timeline


Vendor Contacted : 2014-01-21

Plugin Status : Updated on 2014-01-31
Public Disclosure : May 28, 2014
CVE Number : CVE-2014-4547

Plugin Description :
This plugin is completely free to use, but it requires a Rezgo account.  Try Rezgo today and experience the world's best hosted tour and activity booking platform.

**Rezgo** is a cloud based software as a service booking system that
gives tourism businesses the ability to manage their tour or activity
inventory, manage reservations, and process credit card payments. This
plugin is a full featured front-end booking engine that connects your
WordPress site to your Rezgo account.

= Don't settle for an iframe or javascript widget =

The Rezgo WordPress Booking Plugin is a completely integrated booking
engine that takes advantage of all the content management
capabilities of WordPress.  Tag, search, tour list, and tour detail
pages are all fully integrated with the WordPress site structure
giving you the ability to link directly to product pages, specific
dates, or apply promotional codes or referral ids.  Every Rezgo
WordPress page is search optimized and index ready, which means your
site gets all the benefit of your Rezgo content.

You get all the features of the regular Rezgo hosted booking engine
plus the flexibility to completely control the look and feel of your
customer booking experience.

= Plugin features include =

* Complete control over look and feel through CSS and access to display templates
* Full multiple booking (shopping cart) functionality
* Powerful AJAX booking calendar features
* Support for discount and referral codes
* Fully search-ready pages and search engine friendly URLs
* Integrated media gallery for photos and videos
* Complete transaction processing on your own site (with secure certificate)
* Full integration with 20+ payment systems including PayPal, Authorize.net, and many more.
* Plus all the other [features of Rezgo] (http://www.rezgo.com/features)

= Support for your Rezgo Account =

If you need help getting set-up, Rezgo support is only a click or
phone call away:

* [Rezgo Support Website](http://support.rezgo.com)
* [Customer service forum](http://getsatisfaction.com/rezgo)
* [Rezgo on Twitter](http://www.twitter.com/rezgo)
* [Rezgo on Facebook](http://www.facebook.com/rezgo)
* Pick up the phone and call +1 (604) 983-0083
* Email support AT rezgo.com

Leave a Reply

Your email address will not be published. Required fields are marked *