CVE-2021-24429: Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
First published: Mon Jul 12 2021(Updated: )
The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Salon Booking System WordPress Plugin | <6.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2021-24429?
CVE-2021-24429 is classified as a high severity vulnerability due to its potential for Stored Cross-Site Scripting (XSS).
How do I fix CVE-2021-24429?
To fix CVE-2021-24429, update the Salon Booking System WordPress plugin to version 6.3.1 or later.
Who is affected by CVE-2021-24429?
CVE-2021-24429 affects users of the Salon Booking System WordPress plugin prior to version 6.3.1.
What type of vulnerability is CVE-2021-24429?
CVE-2021-24429 is a Stored Cross-Site Scripting (XSS) vulnerability.
What can attackers do with CVE-2021-24429?
Attackers can exploit CVE-2021-24429 to inject malicious JavaScript into the First Name field, impacting users of the system.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/title
- agent/weakness
- agent/author
- agent/references
- agent/first-publish-date
- agent/description
- agent/event
- agent/tags
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/salonbookingsystem
- canonical/salon booking system wordpress plugin