CVE-2024-51873

Vulnerability

Overview

The Multi-day Booking Calendar plugin for WordPress (versions up to and including 1.0.1) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript that executes in the browser context of a victim user [1].

Exploitation

Details

Exploitation requires a privileged user (such as an administrator) to perform an action like clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. Because the vulnerability is DOM-based, the payload is executed client-side after the page loads, bypassing server-side filters [1]. The attack does not require direct network access to the server but relies on social engineering to trigger the malicious action.

Impact

Successful exploitation allows an attacker to inject malicious scripts, which can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions within the context of the affected site. The reference notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version beyond 1.0.1, so users are advised to update the plugin to the latest available version. If an update is not possible, immediate action such as disabling the plugin or seeking assistance from a hosting provider or web developer is recommended [1].