CVE-2021-24429

Name of the Vulnerable Software and Affected Versions The Salon booking system WordPress plugin versions prior to 6.3.1

Description The issue arises from the improper sanitization and escaping of the First Name field when booking an appointment, allowing low-privilege users to set JavaScript, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The malicious script is executed in the admin context when an admin visits the "Calendar" page.

Recommendations For versions prior to 6.3.1, update to version 6.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Calendar" page for admins until the update is applied. Additionally, limiting the ability of low-privilege users, such as subscribers, to book appointments or set custom First Name fields may help mitigate the risk.