WordPress Plugin Vulnerabilities
My Calendar <= 2.5.16 - Authenticated Cross-Site Scripting (XSS)
Description
An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel.
In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
Affects Plugins
Fixed in 2.5.17 References
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Submitter
Ryan
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2018-04-04 (about 8 years ago)
Added
2018-04-04 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)
WPScan 