CVE-2020-9372
Summary
| CVE | CVE-2020-9372 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-04 19:15:00 UTC |
| Updated | 2022-01-01 19:35:00 UTC |
| Description | The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection. |
Risk And Classification
Problem Types: CWE-1236
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Codepeople | Appointment Booking Calendar | All | All | All | All |
| Application | Codepeople | Appointment Booking Calendar | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress Appointment Booking Calendar 1.3.34 CSV Injection ≈ Packet Storm | MISC | packetstormsecurity.com | |
| appointment_booking_calendar - Google Drive | MISC | drive.google.com | Exploit, Third Party Advisory |
| Plugins and Extensions Support | MISC | www.hotdreamweaver.com | Permissions Required |
| WordPress › Appointment Booking Calendar « WordPress Plugins | MISC | wordpress.org | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.