CVE-2024-12737 Scanner
CVE-2024-12737 Scanner - Cross-Site Scripting (XSS) vulnerability in WP BASE Booking
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
19 days 9 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
WP BASE Booking is a popular WordPress plugin used for scheduling appointments, services, and events. It caters to businesses and individuals looking to automate and streamline booking processes on their websites. Users find this plugin beneficial as it integrates seamlessly with the WordPress platform, offering various customization options and features. The plugin's popularity stems from its ability to handle booking management efficiently, making it indispensable for small to large organizations. With its user-friendly interface, it appeals to non-technical users as well. Ultimately, its role in managing schedules and events makes it a crucial tool for enhancing business workflows.
The vulnerability identified in WP BASE Booking involves a reflected cross-site scripting (XSS) issue. This flaw arises from insufficient sanitization and escaping of specific parameters before they are displayed to users. Malicious actors can exploit this vulnerability by crafting URLs that cause scripts to execute in high-privilege users' browsers. As a result, attackers may perform actions such as session hijacking or impersonating legitimate users, compromising sensitive account information.
The vulnerability specifically affects a parameter in the WP BASE Booking plugin, failing to properly sanitize input before output. In practice, this means arbitrary scripts can be executed in a user's browser without proper validation. The affected endpoint involves an administrative page within the plugin where inadequate input filtration can lead to the execution of injected scripts. The issue allows exploitation by simply convincing a victim to click on a manipulated URL, triggering the execution of harmful code in their session.
When exploited, this vulnerability has significant potential implications for affected sites and users. High privilege user accounts could be compromised, leading to unauthorized actions such as data theft or configuration changes on the WordPress site. Additionally, session hijacking allows attackers to impersonate legitimate users, facilitating further malicious activities. The broader effect could undermine user trust and lead to reputational damage for organizations utilizing the plugin.
REFERENCES
