Modern Events Calendar Lite < 5.16.5 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.

Edit (WPScanTeam)
January 22nd, 2021 - Vendor Contacted via their ticket support (https://support.webnus.net/)
January 23rd, 2021 - Vendor stated It's not a security issue and a role manager plugin should be installed, escalated to WordPress Plugins Team.
January 27th, 2021 - v5.16.5 released, fixing the issue

Proof of Concept

https://drive.google.com/file/d/1Cyy1Th5g1t9yXfvYGDrAFMgDP4USfv5c/view?usp=sharing

Affects Plugins

modern-events-calendar-lite

Fixed in version 5.16.5✓

References

CVE

CVE-2021-24147

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)

Submitter

khanh

Submitter website

http://research.sun-asterisk.com/

Verified

Yes

WPVDB ID

0f9ba284-5d7e-4092-8344-c68316b0146f

Timeline

Publicly Published

2021-01-29 (about 8 months ago)

Added

2021-01-29 (about 8 months ago)

Last Updated

2021-01-31 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin