WordPress Plugin Vulnerabilities
Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)
Description
The plugin did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.
Edit (WPScanTeam)
January 22nd, 2021 - Vendor Contacted via their ticket support (https://support.webnus.net/)
January 23rd, 2021 - Vendor stated It's not a security issue and a role manager plugin should be installed, escalated to WordPress Plugins Team.
January 27th, 2021 - v5.16.5 released, fixing the issue
Proof of Concept
https://drive.google.com/file/d/1Cyy1Th5g1t9yXfvYGDrAFMgDP4USfv5c/view?usp=sharing
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
Submitter
khanh
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-01-29 (about 3 years ago)
Added
2021-01-29 (about 3 years ago)
Last Updated
2021-01-31 (about 3 years ago)