CVE-2020-9372

HIGH

Codepeople Appointment Booking Calendar - Remote Code Execution

Title source: rule

Description

The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve remote code execution via CSV injection.

Exploits (1)

exploitdb WORKING POC

by Daniel Monzón · textwebappsphp

https://www.exploit-db.com/exploits/48204

View Code ZIP pw:eip

References (4)

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/appointment-booking-calendar/#developers

[Exploit, Third Party Advisory] https://drive.google.com/open?id=1NNcYPaJir9SleyVr4cSPqpI2LNM7rtx9

[Permissions Required] https://www.hotdreamweaver.com/support/view.php?id=815925

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/156694/WordPress-Appointment-Booking-Calendar-1.3.34-CSV-Injection.html

Scores

CVSS v3 7.8

EPSS 0.1934

EPSS Percentile 95.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

codepeople/appointment_booking_calendar < 1.3.35

Published Mar 04, 2020

Tracked Since Feb 18, 2026