Submit #786154: Craig A Rodway classroombookings 2.16.4 Stored Cross-Site Scripting (XSS)info

TitleCraig A Rodway classroombookings 2.16.4 Stored Cross-Site Scripting (XSS)
DescriptionA stored cross-site scripting (XSS) vulnerability in Classroom Bookings v2.16.4 allows authenticated users with the Teacher role to inject arbitrary JavaScript via the Display Name field in the profile settings. The malicious payload is stored and executed when the affected data is rendered, leading to execution of attacker-controlled scripts in other users’ browsers.
Source⚠️ https://github.com/sudo-secure/security-research/blob/main/classroombookings/stored-xss/PoC.md
User
 sudosme (UID 96548)
Submission03/23/2026 13:54 (4 months ago)
Moderation04/17/2026 08:58 (25 days later)
StatusAccepted
VulDB entry358027 [classroombookings up to 2.17.0 User Display Name layout.php read displayname cross site scripting]
Points18

Do you want to use VulDB in your project?

Use the official API to access entries easily!