CVE-2024-7129

Published Sep 13, 2024

Last updated 2 months ago

CVSS high 7.2

Overview

Description: The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
Source: contact@wpscan.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.2
Impact score: 5.9
Exploitability score: 1.2
Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: NVD-CWE-Other

Hype score: Not currently trending

Excited to share that I’ve been assigned four new CVEs for my findings on Simply Schedule Appointment (SSA) and PageLayer plugins of WordPress: - CVE-2024-7129 - CVE-2024-7877 - CVE-2024-7876 - CVE-2024-8426 Also I am at rank 8th on the WordPress leaderboard. #bugbounty
@__jeewan_
3 Nov 2024
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nsqua:simply_schedule_appointments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D1C877E3-52DA-428B-8F78-5DAD3B812B36",
            "versionEndExcluding": "1.6.7.43"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References