CVE-2020-9372

moderate-risk
Published 2020-03-04

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Do I need to act?

!
19.3% chance of exploitation in next 30 days
EPSS score — higher than 81% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
48204
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (1)

Appointment Booking Calendar

Affected Vendors

Codepeople

References (8)

Exploit http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calend...
Exploit https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
Release Notes https://wordpress.org/plugins/appointment-booking-calendar/#developers
Permissions Required https://www.hotdreamweaver.com/support/view.php?id=815925
Exploit http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calend...
Exploit https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9
Release Notes https://wordpress.org/plugins/appointment-booking-calendar/#developers
Permissions Required https://www.hotdreamweaver.com/support/view.php?id=815925
43
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal