|
[Japanese]
|
JVNDB-2017-000092
|
WordPress plugin "WP Booking System" vulnerable to cross-site scripting
|
|
The WordPress plugin "WP Booking System" provided by WP Booking System contains a stored cross-site scripting vulnerability (CWE-79).
Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
WP Booking System
- WP Booking System Free version prior to version 1.4
- WP Booking System Premium version prior to version 3.7
|
|
|
An arbitrary script may be executed on the web browser of a user who logged-in as an administrator.
|
|
[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer states:
The Free (1.4 and higher) and the Premium version (3.7 and higher) are patched. Update the plugin or contact the plugin developer at support@wpbookingsystem.com if you have any questions.
|
|
WP Booking System
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2017-2168
|
|
- JVN : JVN#96165722
- National Vulnerability Database (NVD) : CVE-2017-2168
|
|
- [2017/05/16]
Web page was published
[2018/01/17]
References : Content was added
|
