CVE-2024-35297

Vulnerability

Description CVE-2024-35297 is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin WP Booking (CWE-79) [1]. The flaw exists in plugin versions before 2.4.5, allowing an attacker to inject malicious scripts that get stored on the server and later executed when an administrator or other user views the affected page [1].

Attack

Vector An attacker with at least low-level privileges can inject a script into a vulnerable input field, such as a booking detail or location name, which is not properly sanitized [1]. The attacker then tricks a privileged user (e.g., admin) into interacting with the crafted content, such as visiting the booking management page [1]. The script executes in the user's browser under the site's origin.

Impact

Successful exploitation enables arbitrary JavaScript execution in the context of the WordPress admin panel or frontend [1]. This could lead to session hijacking, defacement, or theft of sensitive data, depending on the victim's privileges. The CVSS v3 base score is 4.7 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [1].

Mitigation

The vulnerability is fixed in WP Booking version 2.4.5. Users must update the plugin to the latest version as instructed by the vendor [1]. No workarounds are publicly documented.