WordPress Plugin Vulnerabilities

Scoutnet Kalender <= 1.1.0 - Stored Cross-Site Scripting (XSS)

Description

The plugin does not sanitise the 'Info' field from embedded calendars (which are retrieved from Scoutnet and are not necessarily owned/managed by the administrator of the blog).

Affects Plugins

Plugin icon
scoutnet-kalender
No known fix

References

CVE
CVE-2019-19198
URL
https://packetstormsecurity.com/files/#155615/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Simon Moser
Verified
No
WPVDB ID
29bdb558-50c5-49d9-ade4-e2870c3129a1

Timeline

Publicly Published
2019-12-10 (about 6 years ago)
Added
2019-12-10 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2024-03-29
Title
Aesop Story Engine <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-01-10
Title
Neoforum <= 1.0 - Reflected Cross-Site Scripting
Published
2025-04-11
Title
WP Featured Screenshot <= 1.3 - Reflected Cross-Site Scripting
Published
2023-03-21
Title
Simple Custom Author Profiles <= 1.0.0 - Admin+ Stored Cross-Site Scripting
Published
2024-11-08
Title
Icon Widget <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting