CVE-2024-51628

Vulnerability

The EzyOnlineBookings Online Booking System Widget plugin for WordPress versions up to and including 1.3 contains a DOM-based Cross-Site Scripting (XSS) vulnerability [1]. The plugin does not properly neutralize user input during web page generation, allowing an attacker to inject malicious scripts that execute in the victim's browser via DOM manipulation. The plugin has been closed and removed from the WordPress.org plugin directory as of October 23, 2024 due to this security issue [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or input that, when processed by the victim's browser, injects and executes arbitrary JavaScript within the context of the affected WordPress page [1]. No authentication is required; the attacker only needs to trick a user into visiting a specially crafted link or interacting with the vulnerable widget.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft (e.g., cookies, credentials), defacement, or redirection to malicious sites. The impact is limited to the victim's browser and the permissions of the logged-in user viewing the page [1].

Mitigation

No patch is available as the plugin has been closed and removed from WordPress.org [1]. Users who have the plugin installed should uninstall it immediately to eliminate the vulnerability. No official workaround has been provided; manual code inspection and sanitization may be required for sites that must retain its functionality. The plugin is no longer maintained or distributed.