CVE-2016-20084
Description
Unauthenticated attackers can escalate privileges and inject persistent XSS in WordPress appointment-booking-calendar ≤1.1.24 via admin.php GET parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can escalate privileges and inject persistent XSS in WordPress appointment-booking-calendar ≤1.1.24 via admin.php GET parameters.
Vulnerability
The appointment-booking-calendar plugin for WordPress versions up to and including 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting (XSS) payloads. The vulnerabilities reside in the admin.php page parameters, specifically the ict, ics, and name parameters. No authentication is required to reach the vulnerable code path. [2][3]
Exploitation
An attacker can send crafted GET requests to the WordPress admin area (/wp-admin/admin.php?page=cpabc_appointments&ac=st&...) with malicious JavaScript payloads in the ict, ics, or name parameters. The exploit does not require any prior authentication or user interaction. The PoC demonstrates changing database charset and injecting XSS into options. [2]
Impact
Successful exploitation allows an unauthenticated attacker to modify calendar settings, including changing the calendar owner and injecting persistent XSS. The injected scripts execute when the calendar is displayed or accessed in the administration interface, potentially leading to session hijacking, defacement, or further compromise of the WordPress installation. [2][3]
Mitigation
The vendor has not released a patched version; the plugin appears to be discontinued or no longer maintained. Users should remove or replace the plugin with an alternative. The vulnerability is listed in the Exploit Database and VulnCheck advisories. [1][2][3]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.1.24+ 1 more
- (no CPE)range: = 1.1.24
- (no CPE)range: =1.1.24
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication and authorization checks on the admin.php settings update handler allow unauthenticated modification of plugin configuration and stored XSS injection."
Attack vector
An unauthenticated attacker can send crafted GET requests to the WordPress admin page `wp-admin/admin.php?page=cpabc_appointments` with specific parameters. In the first vector, parameters `ac=st&chs=UTF-8&ict=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ics=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&scr=1` inject malicious JavaScript into the `ict` and `ics` options and set the `CPABC_APPOINTMENTS_LOAD_SCRIPTS` flag [ref_id=1]. In a second vector, parameters `u=1&owner=5&name=%3C%2Foption%3E%3C%2Fselect%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2Fjoaquin%2F%29%3E%3C` update a calendar's owner and set its name to a persistent XSS payload that executes when the calendar shortcode is rendered [ref_id=1]. Both attacks require no prior authentication or special privileges.
Affected code
The vulnerability resides in the WordPress plugin `appointment-booking-calendar` (version ≤1.1.24), specifically in the `admin.php` page parameters processed by the `cpabc_appointments` menu page. The plugin fails to enforce authentication or capability checks on the `ac=st`, `u=`, `owner=`, and `name=` GET parameters, allowing unauthenticated users to modify calendar settings and inject persistent XSS. The vulnerable parameters are `ict`, `ics`, `chs`, `scr`, `owner`, and `name` as demonstrated in the exploit PoCs [ref_id=1].
What the fix does
The advisory does not provide a patch diff. To remediate, the plugin must validate that the requesting user has appropriate administrative capabilities (e.g., `manage_options`) before processing any settings update requests in `admin.php`. All input parameters such as `ict`, `ics`, `owner`, and `name` must be sanitized and escaped before being stored or rendered. Without these validation and sanitization checks, unauthenticated users can perform privilege escalation and inject persistent XSS payloads [ref_id=1].
Preconditions
- configTarget must have WordPress with appointment-booking-calendar plugin version ≤1.1.24 installed and active.
- authNo authentication is required; the attack is performed over HTTP GET requests to the wp-admin endpoint.
- networkAttacker must be able to send HTTP requests to the WordPress admin URL.
- inputAttack parameters are passed via GET query string; no special input encoding is required beyond URL encoding.
Reproduction
To reproduce, send a GET request to `http://<target>/wordpress/wp-admin/admin.php?page=cpabc_appointments&ac=st&chs=UTF-8&ict=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ics=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&scr=1` as an unauthenticated user. This injects XSS payloads into the `ict` and `ics` settings and enables script loading [ref_id=1]. For the calendar name XSS, send a GET request to `http://<target>/wordpress/wp-admin/admin.php?page=cpabc_appointments&u=1&owner=5&name=%3C%2Foption%3E%3C%2Fselect%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2Fjoaquin%2F%29%3E%3C` to update calendar ID 1 with a malicious name [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.