CVE-2024-9306
📋 TL;DR
The WP Booking Calendar plugin for WordPress has a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers with administrator permissions to inject malicious scripts into pages. This affects multi-site WordPress installations and sites where unfiltered_html is disabled. The injected scripts execute whenever users access compromised pages.
💻 Affected Systems
- WP Booking Calendar WordPress Plugin
📦 What is this software?
Wp Booking Calendar by Wpbookingcalendar
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with admin access inject malicious scripts to steal session cookies or user data from visitors accessing affected pages.
If Mitigated
With proper user access controls and unfiltered_html enabled, the vulnerability impact is limited to administrators who already have full site control.
🎯 Exploit Status
Requires authenticated administrator access or lower-level users granted plugin management permissions. Exploitation involves injecting scripts through admin settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3161259%40booking&new=3158531%40booking&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Booking Calendar and click 'Update Now'. 4. Verify version is 10.7 or higher.
🔧 Temporary Workarounds
Enable unfiltered_html capability
allEnable the unfiltered_html capability for administrators to prevent exploitation in single-site installations
Add define('DISALLOW_UNFILTERED_HTML', false); to wp-config.php
Restrict plugin management permissions
allRemove plugin management permissions from non-administrator users
Use WordPress role management plugins or custom code to revoke 'manage_options' capability from non-admin roles
🧯 If You Can't Patch
- Disable or remove the WP Booking Calendar plugin entirely
- Implement strict access controls to ensure only trusted administrators can manage plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP Booking Calendar version. If version is 10.6 or lower, the system is vulnerable.Check Version:
wp plugin list --name='booking' --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify WP Booking Calendar version shows 10.7 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual admin user activity modifying plugin settings
- Suspicious script tags in booking calendar settings or page content
Network Indicators:
- Unexpected external script loads from booking calendar pages
- Suspicious redirects from calendar pages
SIEM Query:
source="wordpress" AND (event="plugin_updated" AND plugin_name="booking" AND old_version<="10.6") OR (event="option_update" AND option_name LIKE "%booking%")