Modern Events Calendar Lite < 6.4.0 – Contributor+ Stored Cross Site Scripting | CVE 2022-0364 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, create/edit an Event, add the following payload in a "Hourly Schedule" title, as well as any of the "hourly schedule row" fields (ie from, to, title and description): <script>alert(/XSS/)</script>

The XSS will be triggered when viewing/previewing the event

By using a payload such as "><script>alert(/XSS/)</script> in the Hourly Schedule title field, an XSS can also be triggered when editing the Event again (as long as the event hasn’t been viewed/previewed yet)

Affects Plugins

modern-events-calendar-lite

Fixed in 6.4.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rohan Chaudhari

Submitter

Rohan Chaudhari

Submitter website

https://www.linkedin.com/in/rohan-chaudhari-53aa51174

Verified

Yes

WPVDB ID

0eb40cd5-838e-4b53-994d-22cf7c8a6c50

Timeline

Publicly Published

2022-02-28 (about 3 years ago)

Added

2022-02-28 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-01-06

Title

WP Triggers Lite <= 2.5.3 - Admin+ SQL Injection

Published

2015-08-13

Title

My Page Order <= 4.3 - Authenticated Cross-Site Scripting (XSS)

Published

2023-11-28

Title

Molongui < 4.6.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2014-05-28

Title

Rezgo < 2.0.0 - Reflected Cross-Site Scripting

Published

2025-04-01

Title

Simple Map No Api <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting