Search criteria
7 vulnerabilities by nsqua
CVE-2024-7876 (GCVE-0-2024-7876)
Vulnerability from cvelistv5 – Published: 2024-11-05 06:00 – Updated: 2024-11-05 15:52
VLAI?
Title
Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
Summary
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
0 , < 1.6.7.55
(semver)
|
Credits
Jeewan Kumar Bhatta
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "appointment_booking_calendar",
"vendor": "nsquared",
"versions": [
{
"lessThan": "1.6.7.55",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-7876",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T15:51:25.557309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T15:52:12.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.7.55",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeewan Kumar Bhatta"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T06:00:07.461Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/fffe862f-5bf0-4a05-9d32-caff0bfdb860/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Appointment Booking Calendar \u003c 1.6.7.55 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-7876",
"datePublished": "2024-11-05T06:00:07.461Z",
"dateReserved": "2024-08-16T12:20:01.517Z",
"dateUpdated": "2024-11-05T15:52:12.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7877 (GCVE-0-2024-7877)
Vulnerability from cvelistv5 – Published: 2024-11-05 06:00 – Updated: 2024-11-05 15:50
VLAI?
Title
Appointment Booking Calendar < 1.6.7.55 - Admin+ Stored XSS
Summary
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
0 , < 1.6.7.55
(semver)
|
Credits
Jeewan Kumar Bhatta
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "appointment_booking_calendar",
"vendor": "nsquared",
"versions": [
{
"lessThan": "1.6.7.55",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-7877",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T15:41:25.929217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T15:50:50.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.7.55",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeewan Kumar Bhatta"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T06:00:07.856Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/fbec3738-2135-458d-be25-1ffb00e6deb6/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Appointment Booking Calendar \u003c 1.6.7.55 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-7877",
"datePublished": "2024-11-05T06:00:07.856Z",
"dateReserved": "2024-08-16T12:25:01.921Z",
"dateUpdated": "2024-11-05T15:50:50.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7129 (GCVE-0-2024-7129)
Vulnerability from cvelistv5 – Published: 2024-09-13 06:00 – Updated: 2025-09-15 19:26
VLAI?
Title
Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
Summary
The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
Severity ?
7.2 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
0 , < 1.6.7.43
(semver)
|
Credits
Jeewan Kumar Bhatta
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nsquared:appointment_booking_calendar:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "appointment_booking_calendar",
"vendor": "nsquared",
"versions": [
{
"lessThan": "1.6.7.43",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-7129",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T13:46:10.172882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T19:26:20.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.7.43",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeewan Kumar Bhatta"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:00:40.205Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Appointment Booking Calendar \u003c 1.6.7.43 - Admin+ Template Injection to RCE",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-7129",
"datePublished": "2024-09-13T06:00:03.731Z",
"dateReserved": "2024-07-26T11:56:34.810Z",
"dateUpdated": "2025-09-15T19:26:20.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50851 (GCVE-0-2023-50851)
Vulnerability from cvelistv5 – Published: 2023-12-28 11:28 – Updated: 2025-04-17 20:28
VLAI?
Title
WordPress Simply Schedule Appointments Plugin < 1.6.6.1 is vulnerable to SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin.This issue affects Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin: from n/a before 1.6.6.1.
Severity ?
7.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| N Squared | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
n/a , < 1.6.6.1
(custom)
|
Credits
Muhammad Daffa (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:23:43.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/simply-schedule-appointments/wordpress-simply-schedule-appointments-booking-plugin-1-6-6-1-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-02T19:05:58.215272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T20:28:24.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "simply-schedule-appointments",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "N Squared",
"versions": [
{
"changes": [
{
"at": "1.6.6.1",
"status": "unaffected"
}
],
"lessThan": "1.6.6.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Muhammad Daffa (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in N Squared Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin.\u003cp\u003eThis issue affects Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin: from n/a before 1.6.6.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in N Squared Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin.This issue affects Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin: from n/a before 1.6.6.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T11:28:30.036Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/simply-schedule-appointments/wordpress-simply-schedule-appointments-booking-plugin-1-6-6-1-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.6.6.1 or a higher version."
}
],
"value": "Update to\u00a01.6.6.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Simply Schedule Appointments Plugin \u003c 1.6.6.1 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50851",
"datePublished": "2023-12-28T11:28:30.036Z",
"dateReserved": "2023-12-14T17:19:02.630Z",
"dateUpdated": "2025-04-17T20:28:24.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2764 (GCVE-0-2023-2764)
Vulnerability from cvelistv5 – Published: 2023-06-09 05:33 – Updated: 2024-12-20 23:47
VLAI?
Summary
The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_set_featured_image function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the featured image of arbitrary posts with an image that exists in the media library.
Severity ?
4.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| croixhaug | Interactive Image Map Plugin – Draw Attention |
Affected:
* , ≤ 2.0.11
(semver)
|
Credits
Alex Thomas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.391Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18530601-a294-448c-a1b2-c3995f9042ac?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/draw-attention/trunk/public/includes/lib/drag-drop-featured-image/index.php#L500"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917528/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:26:20.426750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:47:35.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Interactive Image Map Plugin \u2013 Draw Attention",
"vendor": "croixhaug",
"versions": [
{
"lessThanOrEqual": "2.0.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_set_featured_image function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the featured image of arbitrary posts with an image that exists in the media library."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:11.613Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18530601-a294-448c-a1b2-c3995f9042ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/draw-attention/trunk/public/includes/lib/drag-drop-featured-image/index.php#L500"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917528/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-17T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-30T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2764",
"datePublished": "2023-06-09T05:33:11.613Z",
"dateReserved": "2023-05-17T16:02:05.108Z",
"dateUpdated": "2024-12-20T23:47:35.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2374 (GCVE-0-2022-2374)
Vulnerability from cvelistv5 – Published: 2022-08-29 17:15 – Updated: 2024-08-03 00:32
VLAI?
Title
Simply Schedule Appointments < 1.5.7.7 - Admin+ Stored Cross-Site Scripting
Summary
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Simply Schedule Appointments – WordPress Booking Plugin |
Affected:
1.5.7.7 , < 1.5.7.7
(custom)
|
Credits
Raad Haddad
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/12062d78-7a0d-4dc1-9bd6-6c54aa6bc761"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Simply Schedule Appointments \u2013 WordPress Booking Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.7.7",
"status": "affected",
"version": "1.5.7.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Raad Haddad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-29T17:15:36",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/12062d78-7a0d-4dc1-9bd6-6c54aa6bc761"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Simply Schedule Appointments \u003c 1.5.7.7 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2374",
"STATE": "PUBLIC",
"TITLE": "Simply Schedule Appointments \u003c 1.5.7.7 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Simply Schedule Appointments \u2013 WordPress Booking Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.5.7.7",
"version_value": "1.5.7.7"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Raad Haddad"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/12062d78-7a0d-4dc1-9bd6-6c54aa6bc761",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/12062d78-7a0d-4dc1-9bd6-6c54aa6bc761"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2374",
"datePublished": "2022-08-29T17:15:36",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2373 (GCVE-0-2022-2373)
Vulnerability from cvelistv5 – Published: 2022-08-29 17:15 – Updated: 2024-08-03 00:32
VLAI?
Title
Simply Schedule Appointments < 1.5.7.7 - Unauthenticated Email Address Disclosure
Summary
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Simply Schedule Appointments – WordPress Booking Plugin |
Affected:
1.5.7.7 , < 1.5.7.7
(custom)
|
Credits
Raad Haddad
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:32:09.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6aa9aa0d-b447-4584-a07e-b8a0d1b83a31"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Simply Schedule Appointments \u2013 WordPress Booking Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.7.7",
"status": "affected",
"version": "1.5.7.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Raad Haddad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-29T17:15:35",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/6aa9aa0d-b447-4584-a07e-b8a0d1b83a31"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Simply Schedule Appointments \u003c 1.5.7.7 - Unauthenticated Email Address Disclosure",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2373",
"STATE": "PUBLIC",
"TITLE": "Simply Schedule Appointments \u003c 1.5.7.7 - Unauthenticated Email Address Disclosure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Simply Schedule Appointments \u2013 WordPress Booking Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.5.7.7",
"version_value": "1.5.7.7"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Raad Haddad"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/6aa9aa0d-b447-4584-a07e-b8a0d1b83a31",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/6aa9aa0d-b447-4584-a07e-b8a0d1b83a31"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2373",
"datePublished": "2022-08-29T17:15:35",
"dateReserved": "2022-07-11T00:00:00",
"dateUpdated": "2024-08-03T00:32:09.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}