CVE-2024-11356: 
WordPress vulnerability analysis and mitigation

The tourmaster WordPress plugin before version 5.3.4 contains a Cross-Site Scripting (XSS) vulnerability. The plugin fails to properly sanitize and escape certain parameters when outputting them on the page, allowing unauthenticated users to perform Cross-Site Scripting attacks (WPScan, NVD). This vulnerability was discovered and reported by Bob Matyas on December 16, 2024.

The vulnerability exists due to improper input validation in the room booking functionality. When processing user input in the checkout form, particularly in the "Name" fields, the plugin fails to properly sanitize and escape the data before displaying it in the admin dashboard. The vulnerability has been assigned a CVSS score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (WPScan).

The vulnerability allows unauthenticated attackers to inject malicious scripts that execute in the context of the admin dashboard. When administrators view the booking orders page, any injected scripts will execute with administrative privileges, potentially leading to unauthorized actions or data theft (WPScan).

Users are advised to update their Tourmaster plugin to version 5.3.4 or later, which contains the fix for this vulnerability (WPScan).