CVE-2021-24225— Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)

EPSS 0.16% · P37 Updated Feb 24, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-24225

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)

Source: NVD (National Vulnerability Database)

Vulnerability Description

The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress 插件跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress 插件是WordPress开源的一个应用插件。 WordPress插件 Advanced Booking Calendar 1.6.7版本之前存在跨站脚本漏洞，该漏洞源于插件并没有在“季节和日历”页面中清除GET参数，然后将其输出到一个A标签中，导致了跨站脚本漏洞。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Unknown	Advanced Booking Calendar	1.6.7 ~ 1.6.7	-

II. Public POCs for CVE-2021-24225

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-24225

请登录查看更多情报信息。

Same Patch Batch · Unknown · 2021-04-12 · 14 CVEs total

CVE-2021-24231		Patreon WordPress < 1.7.0 - CSRF to Disconnect Sites From Patreon
CVE-2021-24230		Patreon WordPress < 1.7.0 - CSRF to Overwrite/Create User Meta
CVE-2021-24229		Patreon WordPress < 1.7.2 - Reflected XSS on patreon_save_attachment_patreon_level AJAX ac
CVE-2021-24228		Patreon WordPress < 1.7.2 - Reflected XSS on Login Form
CVE-2021-24227		Patreon WordPress < 1.7.0 - Unauthenticated Local File Disclosure
CVE-2021-24226		AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage
CVE-2021-24224		Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
CVE-2021-24223		N5 Upload Form <= 1.0 - Unauthenticated Arbitrary File Upload to RCE
CVE-2021-24222		WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE
CVE-2021-24221		Quiz And Survey Master < 7.1.12 - Authenticated SQL injection via shortcode
CVE-2021-24218		Facebook for WordPress 3.0.0-3.0.3 - CSRF to Stored XSS and Settings Deletion
CVE-2021-24217		Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
CVE-2021-24215		Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation

IV. Related Vulnerabilities

Same product: Advanced Booking Calendar

Same vendor: Unknown

Same weakness: CWE-79

V. Comments for CVE-2021-24225

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-24225— Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS)

I. Basic Information for CVE-2021-24225

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-24225

III. Intelligence Information for CVE-2021-24225

Same Patch Batch · Unknown · 2021-04-12 · 14 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2021-24225

Leave a comment