CVE-2024-13323 – The WP Booking Calendar plugin for WordPress ha... (How to Fix)

📋 TL;DR

The WP Booking Calendar plugin for WordPress has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP Booking Calendar WordPress Plugin

Versions: All versions up to and including 10.9.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the plugin enabled and at least one user with contributor-level access.

📦 What is this software?

Wp Booking Calendar by Wpbookingcalendar

View all CVEs affecting Wp Booking Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially escalating privileges.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to script execution in the context of the vulnerable page.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.9.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3220625/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Booking Calendar
4. Click 'Update Now' if available
5. If no update appears, download version 10.9.3+ from WordPress.org
6. Deactivate, delete old version, upload and activate new version

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the WP Booking Calendar plugin until patched

wp plugin deactivate booking

Restrict User Roles

all

Remove contributor-level access from untrusted users

wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Regularly audit user accounts and remove unnecessary contributor-level access

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 10.9.2 or lower, you are vulnerable.

Check Version:

wp plugin get booking --field=version

Verify Fix Applied:

After updating, verify plugin version shows 10.9.3 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to booking-related endpoints
Multiple failed login attempts followed by successful contributor login
Suspicious script tags in page content containing booking shortcodes

Network Indicators:

Unexpected outbound connections from WordPress site after visiting booking pages
Suspicious JavaScript loading from booking calendar pages

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/post.php" OR uri_path="/wp-admin/admin-ajax.php") AND (user_agent CONTAINS "script" OR params CONTAINS "booking_calendar")

📊 Metadata

CVE ID: CVE-2024-13323

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.08% exploit probability (23.4th percentile)

Published: January 14, 2025

Last Updated: August 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13323, you might also want to check these: