CVE-2020-9372
N/A
N/A
Summary
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://wordpress.org/plugins/appointment-booking-calendar/#developers
- https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
- https://www.hotdreamweaver.com/support/view.php?id=815925
- http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
References
- https://wordpress.org/plugins/appointment-booking-calendar/#developers
- https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
- https://www.hotdreamweaver.com/support/view.php?id=815925
- http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.