CVE-2018-5671

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the booking-calendar plugin version 2.1.7 for WordPress. The flaw resides in the extra_field1[items][field_item1][price_percent] parameter passed to /wp-admin/admin.php?page=wpdevart-extras. User-supplied input is not properly sanitized before being stored, allowing arbitrary HTML and JavaScript to be persisted. The same codebase also contains similar issues in the themes and forms pages, but this CVE specifically addresses the extras page parameter [1].

Exploitation

An attacker with editor-level privileges (or higher) can craft a malicious payload in the price_percent field, for example: ">. When the attacker saves the extras configuration, the payload is stored. Any user who subsequently visits the affected admin page (including administrators) will execute the injected script in their browser session. No additional user interaction beyond viewing the page is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's WordPress admin session. This can lead to session cookie theft, administrative actions performed on behalf of the victim, defacement, or redirection to malicious sites. The attacker gains the ability to impersonate higher-privileged users, potentially leading to full site compromise [1].

Mitigation

As of the publication date (2018-01-13), no patched version of the booking-calendar plugin has been released. Users should disable or remove the plugin until a fix is available. Alternatively, a web application firewall (WAF) rule can be deployed to block malicious input to the price_percent parameter. The plugin may be abandoned; consider migrating to an alternative booking solution [1].