CVE-2024-2101

Name of the Vulnerable Software and Affected Versions The Salon booking system WordPress plugin versions prior to 9.6.3

Description The issue arises from improper sanitization and escaping of the Mobile Phone field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload is triggered when an admin visits the "Customers" page, and the malicious script is executed in the admin context.

Recommendations For versions prior to 9.6.3, update to version 9.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Customers" page for admins until the update is applied. Additionally, avoid using the Mobile Phone field in the booking system until the issue is resolved.