RULE(RULE ID:324378)

Rule General Information
Release Date: 2020-03-17
Rule Name: Wordpress Plugin Appointment Booking Calendar Stored Cross Site Scripting Injection Vulnerability (CVE-2020-9371)
Rule Protection Details
Description: Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML.
Impact: An attacker can conduct a cross-site scripting attack to inject malicious client-side scripts into web pages viewed by other users, or to bypass access controls such as the same-origin policy, if affected version is installed.
Affected OS: Windows, Others
The vendors have released upgrade patches to fix vulnerabilities, please visit: