CVE-2024-9306

Summary

CVE-2024-9306 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Booking Calendar plugin for WordPress. This issue, present in all versions up to 10.6, stems from insufficient input sanitization and output escaping in the plugin's admin settings. Authenticated attackers with administrator-level access can exploit this flaw to inject arbitrary web scripts that execute when users access affected pages. This risk is heightened in multi-site installations and those where unfiltered_html has been disabled. Moreover, site administrators can grant lower-level users access to manage plugin settings, potentially expanding the attack surface.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.