wp-plugin : wp-appointments-schedules | Code Vigilant : to err is human.. To fix is Humanity

wp-plugin : wp-appointments-schedules
Plugin Details

Plugin Name: wp-plugin : wp-appointments-schedules

Effected Version : 1.5 (and most probably lower version's if any)

Vulnerability : Cross-Site Scripting (XSS)

Identified by : anantshri

WPScan Reference URL

Technical Details

Minimum Level of Access Required : Unauthenticated

PoC - (Proof of Concept) :

http://localhost/wp-content/plugins/wp-appointments-schedules/js/test.php?lang="&gt;alert(document.cookie)&amp;

Vulnerable Parameter : lang

Disclosure Timeline

Vendor Contacted : 2014-01-17

Plugin Status : Updated on

Public Disclosure : June 12, 2014

CVE Number : CVE-2014-4579

Plugin Description :

[|
    	This wordpress plugin will let you create and manage schedules.
    You can add, delete, and manage appointments for each schedule.
    Individual schedules can be displayed on the website and may be
    enabled to allow online reservations by registered users.
    
    To add a schedule to a page add "[[DISPLAYSCHEDULE_PAUL]]" to the post in the page of interest for a schedule created with the name "Paul".	
]