SB2020030502 - Multiple vulnerabilities in Appointment Booking Calendar plugin for WordPress

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2020-9371)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "cpabc_appointments.php" file. A remote authenticated attacker can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) CSV Injection (CVE-ID: CVE-2020-9372)

The vulnerability allows a remote attacker to inject arbitrary code into CSV files.

The vulnerability exists due to insufficient sanitization of user-supplied data when constructing CSV files in fields such as Description or Name in any booking form. A remote attacker can inject malicious data into the contact form fields that is used later by the plugin to generate CSV files. Such files can be opened with Microsoft Excel built-in functions and utilize its functionality to execute malicious macros.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
• https://wordpress.org/plugins/appointment-booking-calendar/#developers
• https://wpvulndb.com/vulnerabilities/10110
• https://www.hotdreamweaver.com/support/view.php?id=815925