Amelia Booking Vulnerability – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-6808 | WordPress Plugin Vulnerability Report
Plugin Name: Amelia Booking
Key Information:
- Software Type: Plugin
- Software Slug: ameliabooking
- Software Status: Active
- Software Author: ameliabooking
- Software Downloads: 535,131
- Active Installs: 60,000
- Last Updated: January 18, 2024
- Patched Versions: 1.0.94
- Affected Versions: <= 1.0.93
Vulnerability Details:
- Name: Booking for Appointments and Events Calendar – Amelia <= 1.0.93 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
- Title: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-6808
- CVSS Score: 6.4 (Medium)
- Publicly Published: January 18, 2024
- Researcher: Ngô Thiên An
- Description: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.93 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Amelia Booking for WordPress has a vulnerability in versions up to and including 1.0.93 that allows authenticated users with Contributor+ level access to inject arbitrary web scripts via insufficiently sanitized shortcode attributes. This vulnerability has been patched in version 1.0.94.
Detailed Overview:
This stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of user-supplied input passed via shortcode attributes. An attacker with at least Contributor access can exploit this to store persistent XSS payloads in posts and pages that will execute in the browser of users visiting the site. This can be leveraged for session hijacking, phishing, or other browser-based attacks. The vulnerability lies in the booking-confirm, booking-reminder shortcodes located in /src/application/views/shortcodes/ComponentsShortcodesService.php and was discovered by researcher Ngô Thiên An. Updating to version 1.0.94 will remediate the issue by escaping shortcode attributes before output.
Advice for Users:
- Immediate Action: Update to Amelia Booking version 1.0.94 as soon as possible.
- Check for Signs of Vulnerability: Review pages and posts for unexpected shortcodes or code. Scan site for malware.
- Alternate Plugins: Consider alternative booking plugins like Bookly or Easy Appointments as a precaution.
- Stay Updated: Enable automatic updates for plugins to receive security patches when available. Monitor the Amelia Booking changelog.
Conclusion:
This vulnerability further emphasizes the importance of timely security updates for plugins. Users should update to version 1.0.94 immediately to mitigate risks. Proactive monitoring for vulnerabilities is key, as is limiting editing access to trusted users.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ameliabooking
Detailed Report:
Keeping your website secure should be a top priority – but with plugins constantly needing updates, it can be a challenge even for experienced WordPress users. Unfortunately, I have some troubling news about a popular appointment booking plugin called Amelia Booking. A serious vulnerability was recently disclosed that allows authenticated users to inject malicious scripts into pages and posts. That means if your site is running any version of Amelia Booking up to and including 1.0.93, you are at risk.
Overview of Amelia Booking Plugin
The Amelia Booking plugin is an appointment and events booking solution that is active on over 60,000 WordPress sites. It allows site owners to easily set up scheduling services, take payments, configure reminders, and more. The plugin has over 535,000 downloads to date indicating its widespread popularity.
Details of the Vulnerability (CVE-2023-6008)
Researcher Ngô Thiên An discovered a stored cross-site scripting (XSS) vulnerability impacting Amelia Booking versions up to and including 1.0.93. The issue lies in insufficient sanitization of user input passed via shortcode attributes. This means attackers with at least Contributor access could inject persistent XSS payloads that would execute for any visiting user.
Successful exploitation of this vulnerability can lead to a wide range of threats including site defacements, phishing attempts, hijacked user sessions, and malware infections.
Risks and Impacts
While exploitation does require contributor access or higher, attackers frequently target privileged users through credential stuffing or social engineering. Additionally, many sites may grant editing access too broadly. Given the ease of exploitation and severe potential impacts, this is a critical vulnerability needing immediate attention.
How to Update and Remediate
Updating to version 1.0.94 will patch this vulnerability by escaping shortcode attributes before output. I highly recommend doing so as soon as possible. Don't let this slip through the cracks.
Additionally you should:
- Check your site for any unexpected code or shortcodes
- Scan your site for malware just in case
- Limit editing access only to users that absolutely need it
- Consider setting up two-factor authentication for admin accounts
Past Vulnerabilities
This is unfortunately not the first vulnerability found in Amelia Booking. There have been 10 other publicly disclosed vulnerabilities since February 2022, indicating systemic security issues with plugin development and release processes.
Conclusion
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.