CVE-2024-8797 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the WP Booking System – Booking Calendar plugin for WordPress, maintained by murgroland. The vulnerability exists because the plugin uses WordPress functions add_query_arg and remove_query_arg to manipulate URL query parameters without applying appropriate escaping or sanitization. This improper neutralization of input (CWE-79) allows attackers to craft URLs containing malicious JavaScript payloads. When a victim clicks such a URL, the injected script executes in their browser context, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The vulnerability affects all plugin versions up to and including 2.0.19.8. It requires no authentication but does require user interaction (clicking a malicious link). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits have been reported yet, but the widespread use of WordPress and this plugin increases the attack surface. The vulnerability is particularly dangerous for sites handling sensitive user data or financial transactions through booking systems.

The primary impact of CVE-2024-8797 is on the confidentiality and integrity of user data on affected WordPress sites using the vulnerable plugin. Attackers can execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. While availability is not directly affected, successful exploitation can undermine user trust and lead to reputational damage. Organizations relying on the WP Booking System plugin for booking or reservation services may face increased risk of targeted phishing campaigns leveraging this vulnerability. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially for sites with high traffic or less security-aware users. The vulnerability could be chained with other attacks to escalate impact. Given the plugin’s popularity in small to medium businesses globally, the threat landscape is broad.

1. Monitor for and apply official patches or updates from murgroland as soon as they are released to fix this vulnerability. 2. Until patches are available, implement Web Application Firewall (WAF) rules to detect and block suspicious query parameters containing script payloads targeting the affected plugin endpoints. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of reflected XSS. 4. Educate users and administrators about phishing risks and the dangers of clicking untrusted links, especially those purporting to be related to booking or reservation services. 5. Review and harden input validation and output encoding practices in custom code interacting with the plugin or its URLs. 6. Conduct regular security audits and penetration testing focusing on XSS vulnerabilities in the WordPress environment. 7. Consider temporarily disabling or replacing the vulnerable plugin if immediate patching is not feasible and risk is high.