CVE-2024-7129
Published: 13 September 2024
Summary
CVE-2024-7129 is a high-severity an unspecified weakness vulnerability in Nsqua Simply Schedule Appointments. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Appointment Booking Calendar WordPress plugin before version 1.6.7.43 is affected by a Twig template injection vulnerability. The root cause is a failure to escape template syntax supplied through user input, which can be escalated to remote code execution.
High-privilege users such as site administrators can supply malicious template directives to execute arbitrary code on the server. The issue carries a CVSS 3.1 score of 7.2 reflecting network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability when successfully exploited.
The vulnerability is tracked in a WPScan advisory that identifies the affected plugin versions and the fixed release.
EPSS reached a peak of 0.1559 after disclosure, indicating emerging exploitation interest that warrants renewed attention despite the requirement for administrative access.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48106
Vulnerability details
The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.