CVE-2022-0834

Name of the Vulnerable Software and Affected Versions Amelia WordPress plugin versions up to and including 1.0.46

Description The issue arises from insufficient escaping and sanitization of the lastName parameter in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file. This allows attackers to inject arbitrary web scripts onto a page, which executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into.

Recommendations For versions up to and including 1.0.46, update to a version that includes proper escaping and sanitization of the lastName parameter to prevent Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the AddCustomerController.php file or disabling the lastName parameter until a patch is available.