Vulnerability Description
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codepeople | Appointment Booking Calendar | < 1.3.35 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-CalendExploitThird Party AdvisoryVDB Entry
- https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9ExploitThird Party Advisory
- https://wordpress.org/plugins/appointment-booking-calendar/#developersRelease NotesThird Party Advisory
- https://www.hotdreamweaver.com/support/view.php?id=815925Permissions Required
- http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-CalendExploitThird Party AdvisoryVDB Entry
- https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9ExploitThird Party Advisory
- https://wordpress.org/plugins/appointment-booking-calendar/#developersRelease NotesThird Party Advisory
- https://www.hotdreamweaver.com/support/view.php?id=815925Permissions Required
FAQ
What is CVE-2020-9372?
CVE-2020-9372 is a vulnerability with a CVSS score of 7.8 (HIGH). The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via th...
How severe is CVE-2020-9372?
CVE-2020-9372 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-9372?
Check the references section above for vendor advisories and patch information. Affected products include: Codepeople Appointment Booking Calendar.