Lucene search
Rohan ChaudhariWPVDB-ID:0EB40CD5-838E-4B53-994D-22CF7C8A6C50HistoryFeb 28, 2022 - 12:00 a.m.
Modern Events Calendar Lite < 6.4.0 - Contributor+ Stored Cross Site Scripting
2022-02-2800:00:00
Rohan Chaudhari
wpscan.com
5
0.001 Low
EPSS
Percentile
24.8%
The plugin does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
PoC
As a contributor, create/edit an Event, add the following payload in a “Hourly Schedule” title, as well as any of the “hourly schedule row” fields (ie from, to, title and description): The XSS will be triggered when viewing/previewing the event By using a payload such as "> in the Hourly Schedule title field, an XSS can also be triggered when editing the Event again (as long as the event hasn’t been viewed/previewed yet)
| CPE | Name | Operator | Version |
|---|---|---|---|
| modern-events-calendar-lite | lt | 6.4.0 |
Related
prion
prion
Cross site scripting
2022-03-21 19:15:00
cve
cve
CVE-2022-0364
2022-03-21 19:15:10
checkpoint_advisories
checkpoint_advisories
nvd
nvd
CVE-2022-0364
2022-03-21 19:15:10
wpexploit
wpexploit
openvas
openvas
WordPress Modern Events Calendar Lite Plugin < 6.4.0 XSS Vulnerability
2022-06-29 00:00:00
patchstack
patchstack
cvelist
cvelist