Modern Events Calendar Lite < 5.22.2 – Admin+ Stored Cross-Site Scripting | CVE 2021-24687 | Plugin Vulnerabilities

Description

The plugin does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Go to the plugin Settings > Messages > Taxonomies (/wp-admin/admin.php?page=MEC-settings&tab=MEC-messages)

Put the following payload in the Category Plural Label, Category Plural Label or Label Plural Label fields: "><script>alert(/XSS/)</script>

The XSS will be triggered in any backend pages

Affects Plugins

modern-events-calendar-lite

Fixed in 5.22.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

Verified

Yes

WPVDB ID

300ba418-63ed-4c03-9031-263742ed522e

Timeline

Publicly Published

2021-09-06 (about 2 years ago)

Added

2021-09-06 (about 2 years ago)

Last Updated

2023-01-29 (about 1 years ago)

Other

Published

Title

Published

2023-05-22

Title

Leyka < 3.30.2 - Reflected XSS

Published

2022-04-19

Title

BMI BMR Calculator <= 1.3 - Reflected Cross-Site Scripting

Published

2017-02-24

Title

GD Rating System < 2.1 - XSS

Published

2023-11-15

Title

BMI Calculator Plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-12-26

Title

Sticky Chat Widget < 1.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting