Primary

Context

PHPJabbers Event Booking Calendar HTML Injection Vulnerability

Vulnerability

A vulnerability allowing multiple HTML injection has been identified in PHPJabbers Event Booking Calendar version 4.0. This issue arises in the 'name', 'plugin_sms_api_key', 'plugin_sms_country_code', and 'title' parameters. The vulnerability allows attackers to inject malicious HTML that is then executed when the content is viewed by other users.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected HTML or scripts are stored on the server and executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the SMS Settings under the System Menu. Inject HTML tags into the 'SMS API Key' or 'Default Country Code' fields and save the changes. The injected HTML will be executed, demonstrating the injection flaw.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.7

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.7

exploitability

6.8

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PHPJabbers Event Booking Calendar HTML Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

PHPJabbers Event Booking Calendar

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating