Attacker Value
Very Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Required
Privileges Required
High
Attack Vector
Network
0

CVE-2020-9371

Disclosure Date: March 04, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.

Add Assessment

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

This plugin is currently listed as having over 5000 active installations and a little over 3 hundred thousand downloads.

The ability to add an XSS payload is only available when creating or updating calendars which is an admin level feature, this means it is unlikely to be valuable to an attacker as if they already have this level of access there are more damaging attacks that can be performed.

CVSS V3 Severity and Metrics
Base Score:
4.8 Medium
Impact Score:
2.7
Exploitability Score:
1.7
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • codepeople

Products

  • appointment booking calendar
Technical Analysis