CVE-2018-5672

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the booking-calendar plugin version 2.1.7 for WordPress. The issue is in the wp-admin/admin.php page, specifically in the form_field5[label] parameter under the Forms section. Input is not properly filtered or sanitized before being stored and later rendered, enabling injection of arbitrary JavaScript code.

Exploitation

An attacker with any account that has access to edit forms (e.g., an Editor-level user) can inject a malicious payload into the form_field5[label] parameter. The injected script is stored and executed in the browsers of other users, including administrators, who subsequently view or edit the same shared form page. No additional user interaction beyond visiting the affected page is required for the script to execute.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session cookie theft, redirection to malicious sites, defacement, or other actions the victim user can perform. Because the script executes in the context of the WordPress admin panel, an administrator visiting the compromised page may have all privileges within the scope of the session.

Mitigation

The vendor released a fixed version: booking-calendar plugin version 2.1.8 or later [1]. Users should update to the latest version immediately. If an upgrade is not possible, restrict access to the WordPress admin panel to trusted users only and review any custom modifications to the plugin's code.