CVE-2022-0834 HIGH

CVE-2022-0834: Amelia <= 1.0.46 - Stored Cross Site Scripting via lastName

Vendor Ameliabooking
Product Booking for Appointments and Events Calendar – Amelia
Weakness CWE-79 · XSS
Published March 23, 2022
Last update April 8, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into. This affects versions up to and including 1.0.46.

Key dates

02Disclosure timeline

March 23, 2022 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE