CVE-2024-9504
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when viewed. All WordPress sites using the Booking calendar, Appointment Booking System plugin versions up to 3.2.15 are affected.
💻 Affected Systems
- Booking calendar, Appointment Booking System WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal session cookies, redirect users to phishing sites, or display unwanted content.
If Mitigated
With proper file upload restrictions and content security policies, impact is limited to potential data exfiltration from users viewing malicious files.
🎯 Exploit Status
Exploitation requires uploading a malicious SVG file, which is trivial for attackers with basic web knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.16
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3195800/booking-calendar
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins > Installed Plugins. 3. Find 'Booking calendar, Appointment Booking System'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.16+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxPrevent SVG file uploads at web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disable plugin temporarily
allDeactivate vulnerable plugin until patched
wp plugin deactivate booking-calendar
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Add file upload restrictions to block SVG files or sanitize all uploaded files
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed PluginsCheck Version:
wp plugin get booking-calendar --field=versionVerify Fix Applied:
Verify plugin version is 3.2.16 or higher and test SVG upload functionality📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads
- Multiple failed upload attempts
- Requests to uploaded SVG files with suspicious parameters
Network Indicators:
- POST requests with SVG file uploads to booking plugin endpoints
- GET requests to uploaded SVG files
SIEM Query:
source="web_server" (uri_path="*svg" OR file_extension="svg") AND (user_agent="*malicious*" OR referrer="*suspicious*")