PHPJabbers Car Park Booking System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPJabbers Car Park Booking System version 3.0. This vulnerability allows attackers to inject malicious scripts into content that is permanently stored on the server. The issue arises in multiple parameters, including 'name', 'plugin_sms_api_key', 'plugin_sms_country_code', and 'title'. Exploitation of this vulnerability could lead to the execution of injected scripts when other users access the compromised content.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the affected content, potentially leading to session hijacking, defacement of websites, or other malicious actions depending on the nature of the injected script.

Reproduction

To reproduce this vulnerability, log into the admin panel of PHPJabbers Car Park Booking System version 3.0. Navigate to the 'SMS Settings' under the 'System Menu'. In the 'SMS API Key' and 'Default Country Code' input fields, inject a cross-site scripting payload and save the changes. The injected script will execute, demonstrating the cross-site scripting vulnerability.