A Cross-Site Scripting (XSS) vulnerability has been discovered in the WordPress Booking Calendar plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which would be executed when visitors visit the affected site.
This vulnerability was discovered and reported by Pablo Sanchez.
The vulnerability is caused by a lack of input validation in the plugin’s code. This allows an attacker to inject malicious scripts into the website, which are then executed when visitors visit the site.
The vulnerability has been fixed in version 220.127.116.11 of the WordPress Booking Calendar plugin. Users who are running an older version of the plugin should update to the latest version as soon as possible.
The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high severity. This means that the vulnerability is moderately likely to be exploited and could have a significant impact on the affected system.
All versions of the WordPress Booking Calendar plugin prior to 18.104.22.168 are affected by this vulnerability.
An attacker who successfully exploits this vulnerability could inject malicious scripts into your website. This could allow the attacker to steal sensitive data, redirect visitors to malicious websites, or take control of the affected website.
Update the WordPress Booking Calendar plugin to the latest available version (at least 22.214.171.124).
Due to the high severity of this vulnerability, immediate action is essential to secure the website:
- Update the Plugin: Update the Booking Calendar Plugin to the latest available version, ensuring it is at least version 126.96.36.199. This update encompasses essential security fixes for the XSS vulnerability.
- Regular Plugin Updates: In addition to this specific update, maintain the practice of routinely updating all WordPress plugins and themes to their latest versions. This is a fundamental security measure for websites.
- Enhance Security Measures: Consider implementing additional security layers, such as web application firewalls (WAFs) and security plugins. Regular security audits can help identify and address potential vulnerabilities.