← volver
CVE-2020-9372

CVE-2020-9372

EPSS 8.6%
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.
Productos afectados
n/a · n/a
PoCs públicas encontradas2
cve_referencepacketstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.htmlno verificadoexploitdbwww.exploit-db.com/exploits/48204no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.htmlhttps://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9https://wordpress.org/plugins/appointment-booking-calendar/#developershttps://www.hotdreamweaver.com/support/view.php?id=815925