CVE-2024-10027

CVSS 3.1 Score 4.8 of 10 (medium)

Details

Published Nov 7, 2024
Updated: Nov 8, 2024

Summary

CVE-2024-10027 is a vulnerability affecting the WP Booking Calendar plugin for WordPress. Before version 10.6.3, the plugin fails to properly sanitize and escape some settings in its widgets, making them susceptible to Stored Cross-Site Scripting (XSS) attacks. Although the unfiltered_html capability is supposed to be disallowed in such cases, high privilege users, including admins, can still exploit this vulnerability in multisite setups.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share