Modern Events Calendar Lite < 5.16.5 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24147

Description

The plugin did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.

Edit (WPScanTeam)
January 22nd, 2021 - Vendor Contacted via their ticket support (https://support.webnus.net/)
January 23rd, 2021 - Vendor stated It's not a security issue and a role manager plugin should be installed, escalated to WordPress Plugins Team.
January 27th, 2021 - v5.16.5 released, fixing the issue

Proof of Concept

https://drive.google.com/file/d/1Cyy1Th5g1t9yXfvYGDrAFMgDP4USfv5c/view?usp=sharing

Affects Plugins

modern-events-calendar-lite

Fixed in 5.16.5

References

CVE

CVE-2021-24147

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Submitter

khanh

Submitter website

http://research.sun-asterisk.com/

Verified

Yes

WPVDB ID

0f9ba284-5d7e-4092-8344-c68316b0146f

Timeline

Publicly Published

2021-01-29 (about 3 years ago)

Added

2021-01-29 (about 3 years ago)

Last Updated

2021-01-31 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Uploader 1.0.0 - wp-content/plugins/uploader/views/notify.php num Parameter XSS

Published

2024-03-16

Title

Sitekit < 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-01-26

Title

(Simply) Guest Author Name < 4.35 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-03-03

Title

CPO Content Types <= 1.1.0 - Admin+ Stored XSS

Published

2023-11-07

Title

Seo By 10Web <= 1.2.9 - Reflected XSS