CVE-2021-24429

Public Exploit

Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.

References

Link	Tags
https://wpscan.com/vulnerability/e922b788-7da5-43b4-9b05-839c8610252a	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2021-24429?: CVE-2021-24429 has been scored as a medium severity vulnerability.
How to fix CVE-2021-24429?: To fix CVE-2021-24429, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-24429 being actively exploited in the wild?: It is possible that CVE-2021-24429 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-24429?: CVE-2021-24429 affects Salon Booking System Salon booking system.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions