CVE-2024-12077

Name of the Vulnerable Software and Affected Versions Booking Calendar versions prior to 3.2.19 Booking Calendar Pro versions prior to 11.2.19

Description The issue concerns a Reflected Cross-Site Scripting vulnerability via the calendar id parameter due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.

Recommendations For Booking Calendar versions prior to 3.2.19, update to version 3.2.19 or later to resolve the issue. For Booking Calendar Pro versions prior to 11.2.19, update to version 11.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the calendar id parameter to minimize the risk of exploitation.