Modern Events Calendar Lite < 5.22.3 – Authenticated Stored Cross Site Scripting | CVE 2021-24716 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.

Proof of Concept

* Go to Setting Tab Under Calendar Lite Plugin
* Under Setting tab Click on Slugs/Permalinks tab
* Enter the XSS payload into Main Slug and Category Slug both. Both fields are vulnerable.
XSS payload used : "><script>alert(1)</script>
* Click On Save Changes. then visit to Setting tab again or reload it. XSS will popup.

Affects Plugins

modern-events-calendar-lite

Fixed in 5.22.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Shivam Rai

Submitter

Shivam Rai

Submitter twitter

Verified

Yes

WPVDB ID

576cc93d-1499-452b-97dd-80f69002e2a0

Timeline

Publicly Published

2021-09-29 (about 2 years ago)

Added

2021-09-29 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2023-10-17

Title

Thumbnail Slider With Lightbox < 1.0.20 - Admin+ Stored XSS

Published

2023-12-07

Title

Machic Core <= 1.2.6 - Reflected Cross-Site Scripting

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Contributor+ Stored XSS

Published

2021-06-10

Title

Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS)

Published

2023-10-23

Title

Live Chat with Facebook Messenger < 1.0 - Contributor+ Stored XSS via Shortcode