CVE-2018-5670
Description
An issue was discovered in the booking-calendar plugin 2.1.7 for WordPress. XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in the booking-calendar plugin 2.1.7 for WordPress allows authenticated users to inject arbitrary web script via the sale_conditions[count][] parameter.
Vulnerability
Stored cross-site scripting (XSS) vulnerability in the booking-calendar plugin 2.1.7 for WordPress. The parameter sale_conditions[count][] in the Themes section (wp-admin/admin.php?page=wpdevart-themes) is not properly sanitized, allowing injection of arbitrary HTML and JavaScript [1].
Exploitation
An attacker with editor-level privileges can inject a malicious payload into the sale_conditions[count][] parameter when editing themes. The payload is stored and executed when any user, including administrators, visits the Themes page [1].
Impact
Successful exploitation leads to stored XSS, enabling cookie theft, session hijacking, or arbitrary actions on behalf of the victim. The attack affects all users who view the compromised admin page [1].
Mitigation
No official patch is provided in the available references. Administrators should disable the plugin or apply input validation to prevent unescaped output. The plugin may be removed from the WordPress repository if not patched [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 2.1.7
- Range: = 2.1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/d4wner/Vulnerabilities-Report/blob/master/booking-calendar.mdmitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9012mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.