Event Calendar WD <= 1.1.21 – Cross-Site Scripting (XSS) | CVE 2018-16164

Affects Plugins

event-calendar-wd

Fixed in 1.1.22

References

CVE

CVE-2018-16164

URL

https://jvn.jp/en/jp/JVN75738023/index.html

URL

https://plugins.trac.wordpress.org/changeset/1961423/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Yuta Kitaoka

Submitter

Ryan Dewhurst

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

159a677a-5aa8-42dd-a69b-441103967650

Timeline

Publicly Published

2018-11-02 (about 7 years ago)

Added

2019-01-10 (about 7 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-09-30

Title

Depicter Slider < 3.5.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-12-16

Title

CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout < 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-12-11

Title

GeoFlickr < 1.4 - Reflected Cross-Site Scripting

Published

2024-10-08

Title

Auto iFrame < 1.8 - Authenticated (Author+) Stored Cross-Site Scripting via tag Parameter

Published

2026-02-18

Title

iXML – Google XML sitemap generator <= 0.6 - Reflected Cross-Site Scripting via 'iXML_email' Parameter