2024-04-17 05:00:02
WPScan
PUBLISHED
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the Mobile Phone field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the Customers page and the malicious script is executed in the admin context.