CVE-2024-10177 in Beds24 Online Booking Plugin
Summary
by MITRE • 11/21/2024
The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/23/2025
The Beds24 Online Booking plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2024-10177 affecting versions through 2.0.26. This vulnerability resides within the plugin's beds24-link shortcode implementation where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. The flaw allows authenticated attackers possessing contributor-level access or higher to inject malicious scripts into the plugin's shortcode parameters, which then execute whenever any user accesses pages containing the compromised shortcode.
The technical exploitation of this vulnerability stems from the plugin's inadequate handling of user input within the beds24-link shortcode functionality. When administrators or contributors insert the shortcode into posts or pages, they can provide attributes that are not properly sanitized before being stored in the database. The vulnerability specifically manifests when these stored attributes contain malicious script code that gets executed during the rendering of web pages containing the compromised shortcode. This represents a classic stored XSS attack vector where malicious payloads persist in the application's database and execute against unsuspecting users who view the affected content.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent foothold within the WordPress environment. Attackers with contributor privileges can leverage this vulnerability to perform various malicious activities including credential theft, session hijacking, or redirection to malicious sites. The vulnerability affects all users who access pages containing the compromised shortcode regardless of their privilege level, creating a widespread attack surface. Furthermore, the persistence of the malicious scripts means that the attack remains effective until the malicious content is manually removed from the database or the plugin is updated to a patched version.
From a cybersecurity perspective, this vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a significant risk to WordPress installations using the Beds24 plugin. The ATT&CK framework categorizes this as a technique for code injection and privilege escalation, as attackers can use stored XSS to gain access to user sessions and potentially escalate their privileges further within the compromised WordPress environment. Organizations should prioritize immediate patching of the plugin to version 2.0.27 or later, as this represents the first fixed release addressing the input sanitization and output escaping deficiencies. Additionally, administrators should implement strict role-based access controls and monitor user activities for any unauthorized shortcode modifications, while considering temporary removal of the plugin's shortcode functionality until the vulnerability is fully addressed through official updates.