CVE-2024-10027
📋 TL;DR
This vulnerability in the WP Booking Calendar WordPress plugin allows high-privilege users (like administrators) to inject malicious scripts into widget settings, which then execute when other users view those widgets. It affects WordPress sites using vulnerable versions of the plugin, particularly in multisite configurations where unfiltered_html capabilities are restricted.
💻 Affected Systems
- WP Booking Calendar WordPress Plugin
📦 What is this software?
Wp Booking Calendar by Wpbookingcalendar
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially compromising the entire WordPress site.
Likely Case
Malicious admin injects JavaScript that steals user credentials or session tokens when other users view affected widgets.
If Mitigated
With proper user access controls and regular plugin updates, impact is limited to potential data exposure from compromised admin accounts.
🎯 Exploit Status
Exploitation requires admin privileges. Attack vector is through plugin widget settings interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.6.3
Vendor Advisory: https://wpscan.com/vulnerability/a94c7b64-720a-47f1-a74a-691c3a9ed3a1/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Booking Calendar. 4. Click 'Update Now' if available. 5. Alternatively, download version 10.6.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the WP Booking Calendar plugin until patched
wp plugin deactivate wp-booking-calendar
wp plugin delete wp-booking-calendar
Restrict admin access
allLimit administrative accounts to trusted personnel only and implement multi-factor authentication
🧯 If You Can't Patch
- Implement strict access controls for admin accounts with multi-factor authentication
- Use web application firewall rules to block XSS payloads in POST requests to admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. Look for WP Booking Calendar version number.Check Version:
wp plugin get wp-booking-calendar --field=versionVerify Fix Applied:
Confirm plugin version is 10.6.3 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with script tags in parameters
- Admin users modifying widget settings with JavaScript payloads
Network Indicators:
- HTTP requests containing script tags in POST data to WordPress admin endpoints
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" OR "widgets.php") AND ("<script>" OR "javascript:")