SpiderCalendar <= 1.5.65 – Reflected Cross-Site Scripting | CVE 2022-0212

Description

The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue.

Note: Vendor decided to close the plugin and it won't be maintained anymore

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=window&callback=%3C/script%3E%3Cimg/src/onerror=alert(/XSS/);%3E

Affects Plugins

spider-event-calendar

No known fix

References

CVE

CVE-2022-0212

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

15be2d2b-baa3-4845-82cf-3c351c695b47

Timeline

Publicly Published

2022-01-13 (about 2 years ago)

Added

2022-01-13 (about 2 years ago)

Last Updated

2022-04-09 (about 2 years ago)

Other

Published

Title

Published

2015-08-19

Title

Floating Social Media Icon <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2022-07-20

Title

Duplicate Page and Post Plugin < 2.8 - Admin+ Stored Cross-Site Scripting

Published

2022-08-22

Title

WP Server Health Stats < 1.7.0 - Admin+ Stored Cross-Site Scripting

Published

2021-08-30

Title

User Activity Log < 1.4.7 - Reflected Cross Site Scripting via Query String

Published

2016-09-21

Title

W3 Total Cache < 0.9.5 - Authenticated Reflected Cross-Site Scripting (XSS)