PHPJabbers Hotel Booking System HTML Injection Vulnerability

A vulnerability allowing HTML injection has been identified in PHPJabbers Hotel Booking System version 4.0. This issue arises in the 'name', 'plugin_sms_api_key', 'plugin_sms_country_code', and 'title' parameters. The vulnerability can be exploited by injecting HTML tags into these fields, which are then saved and rendered, potentially leading to cross-site scripting (XSS) attacks.

Impact

Exploitation of this vulnerability allows for HTML injection, which can be used to execute cross-site scripting attacks, such as injecting malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the SMS Settings under the System Menu. Inject HTML tags into the 'SMS API Key' or 'Default Country Code' input fields and save the changes. The injected HTML will be rendered, demonstrating the successful exploitation of the vulnerability.