CVE-2024-2102

Name of the Vulnerable Software and Affected Versions The Salon booking system WordPress plugin versions prior to 9.6.3

Description The issue arises from improper sanitization and escaping of the Mobile Phone field and sms prefix parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the "Bookings" page and the malicious script is executed in the admin context.

Recommendations For versions prior to 9.6.3, update to version 9.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Bookings" page for admins until the update is applied. Avoid using the sms prefix parameter in the booking process until the issue is resolved.